Just when you think extortionists can’t sink any lower, along comes a lowlife that manages to surprise you.

The BBC reported that a group calling itself “Radiant” claims to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India.

The data the group says it stole includes names, photos, addresses, dates of birth, and details about their parents or carers. The hack also reportedly exposed safeguarding notes and medical information.

To prove their possession of the data, the criminals posted samples, including pictures and profiles of ten children on their darknet website. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid.

When contacted by the BBC about their extortion attempt, the group defended their actions, claiming to:

“… deserve some compensation for our pentest.”

They should educate themselves before continuing. In most jurisdictions, to carry out this type of “penetration testing” legally, they need to get explicit permission from the company first (or choose a company that runs a bug bounty program).

As if stealing children’s data and publishing them on the dark web isn’t bad enough, Joe Tidy at the BBC reported that the group also called some of the children’s parents—telling them to put pressure on the nursery chain to pay the ransom demand, or they’ll leak their child’s data.

If history has taught us anything, the next step is that they will try to extort the parents individually, as happened in the case of the Finnish psychotherapy practice Vastaamo. Trust me, these things never end well. In Vastaamo’s case, the clinic went bankrupt, at least one suicide has been linked to the case, and the attackers have been sentenced to jail time.

Kido has not issued a public statement. Although the investigation is ongoing, it has contacted parents to confirm the incident and offer reassurance.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.