Hackers say they have deleted children's pictures and data after nursery attack backlash
Hackers who threatened to extort a nursery chain by posting sensitive images and data about children on the darknet have taken down the posts and claim to have deleted the details.
The criminals began posting profiles of the children on their website last Thursday, adding details for another ten children along with a vow to continue until Kido Schools paid a ransom in Bitcoin. In addition to the online threats, the criminals also contacted parents with threatening phone calls. However, the public outrage surrounding their attack appears to have compelled them to reconsider.
Initially, they blurred the photos, but now they have taken all the details offline and apologised for their actions. Experts are sceptical about the hackers' apparent change of heart, having previously condemned the targeting of nurseries as a "new low" for cyber-criminals. "This is more about pragmatism than morality," said cyber-security expert Jen Ellis. "These criminals are clearly shocked and concerned about the attention their hack has generated, and they are obviously worried about protecting themselves and their 'brand'."
'Comfort for parents'
The hackers claim to have deleted everything they stole, which included the personal information and pictures of around 8,000 children, as well as contact information for parents and carers.
"All child data is now deleted. Nothing remains," one of the cyber-criminals involved reportedly said, adding that they hoped "this may have brought comfort to parents." Kido reportedly did not pay the hackers the ransom, which was estimated to be around £600,000.
In similar recent cases, hackers have often claimed to have deleted stolen information only to be found to have kept it or sold it on. When the UK's National Crime Agency busted the cybercrime group LockBit, they discovered troves of data on the criminals' servers that victims had paid to have deleted.
The nursery hackers, who call themselves Radiant, seem to be worried that their attack has breached an unwritten ethical code. According to BBC News, the cyber-criminals said, "We are sorry for the pain caused to the children."
It is unclear who the hacker or hackers are, but they appear to be a new and possibly inexperienced group. Their darknet website is new, though they claim to have carried out other hacks in the past.
This isn't the first time cyber-criminals have backtracked on an attack. A gang using DoppelPaymer ransomware gave a German hospital the decryption key for free after the chaos they caused led to the death of a patient in emergency care. When Conti hackers attacked the Irish Health Service in 2021, they also gave the decryption key away for free, claiming not to have intentionally targeted hospitals. Months before, criminals from the Darkside group made the bizarre move of publishing proof that they had donated some of their ill-gotten bitcoin to charities.
The hackers gained access to the nursery's networks via one of Kido's computers, which had been compromised by a separate hacker. An "initial access broker" sold access to Kido's systems to Radiant, who then penetrated the networks and stole the data.
The bulk of the downloaded content, including photos of children, was taken from Kido's account with Famly, a well-known early years education platform. Kido initially told parents the attack was the result of Famly being compromised, a claim Famly has denied. Famly has repeatedly told the BBC that neither its platform's security nor its infrastructure has been compromised at any time. Kido did not respond to a request for information about how the hackers obtained the data.
"We recently detected and responded to a cyber-attack," a spokesperson said. "We are working with external consultants to investigate and determine in more detail what happened. We promptly informed both our families and the relevant authorities and continue to work closely with them."
Radiant claims it paid the initial access broker for access to Kido's device. With Kido refusing to pay and the hackers reneging on their extortion attempt, the criminals appear to have lost money on this cyber-attack.