A group of hackers calling themselves Radiant, who tried to extort a nursery chain, have reportedly taken down all stolen information and claimed to have deleted it. The hackers had posted profiles of approximately 8,000 children on the dark web, including private details and photos, and contacted parents directly with threatening phone calls. They vowed to continue releasing information until Kido Schools paid a ransom of around £600,000 in Bitcoin. However, public revulsion and widespread media attention appear to have caused the criminals to backtrack. They initially blurred the images but kept the data visible before eventually taking all the information offline and apologizing for their actions.
Experts are highly skeptical of the hackers’ apparent change of heart, suggesting it’s more about self-preservation than morality. Jen Ellis, a cybersecurity expert, stated that the criminals seem shocked and worried by the attention their hack has generated and are now trying to protect themselves or their reputation. She noted that these criminals likely see their actions as a “new low” for the cybercrime world. The hackers claim to have deleted everything they stole, including private details and pictures of the children, as well as contact information for parents and carers. “All child data is now being deleted. No more remains and this can comfort parents,” one of the hackers told the BBC, also adding, “We are sorry for hurting kids.”
It is understood that Kido has not paid the ransom. Despite the hackers’ claims, past cases show that criminals often say they have deleted stolen data but have been found to have kept or sold it. When the UK’s National Crime Agency took down the cybercrime gang LockBit, they found troves of data still on the criminals’ servers that victims had paid to be deleted. The hackers, who appear to be a new and possibly inexperienced group, now seem concerned that their hack has crossed an undefined moral line since the public outcry began. This isn’t the first time cybercriminals have reversed course; in the past, some gangs have provided decryption keys for free after their attacks resulted in serious consequences, like the death of a patient at a German hospital.
Radiant claims they gained access to the nursery’s systems by purchasing access to one of Kido’s staff computers that had been compromised by a separate hacker, a common practice known as “initial access brokering.” They then infiltrated Kido’s systems and stole the data. The majority of the stolen material, including the children’s pictures, was taken from Kido’s account with Famly, a popular early years education platform. Famly has denied Kido’s claim that the breach happened as a result of their platform being compromised, stressing that their security and infrastructure were not breached at any point. Kido has not commented on the specific method of the hack, only stating that they identified and responded to a cyber incident and are working with external specialists to investigate.
Since Kido refused to pay the ransom and the hackers have now abandoned their extortion attempt, the criminals appear to have lost money in this attack. Radiant claims they paid the initial access broker for access to Kido’s system, and with the ransom unpaid, they have effectively lost that investment. This unusual outcome, coupled with their public apologies, highlights the unprecedented backlash and moral outrage this specific type of cybercrime has generated, forcing the hackers to reverse their course and abandon their efforts.
Reference: