From threats to apology, hackers pull child data offline after public backlash

Last week we yelled at some “hackers” that threatened parents after stealing data from their children’s nursery.

This followed a BBC report that a group calling itself “Radiant” claimed to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India.

To prove their possession of the data, the criminals posted samples on their darknet website, including pictures and profiles of ten children. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid.

A few days later, they added profiles of another ten children and threatened to keep going until Kido paid their ransom demand. The group also published the private data of dozens of employees including names, addresses, National Insurance numbers, and contact details.

The criminals then reportedly contacted parents directly with threatening phone calls whilst pushing to get their ransom paid.

But after massive pushback from the general public and some prominent members of the malware community, the attackers initially blurred the children’s images but left the data online. Soon after, they pulled everything offline and issued an apology.

They even claim to have deleted all the children’s data. One of the cybercriminals told the BBC:

“All child data is now being deleted. No more remains and this can comfort parents.”

But, as we have mentioned many times before, computers—and the internet in particular—are not very good at “forgetting” things. Data tends to pop up in unexpected places. Remember when supposedly deleted iPhone photos showed up again after an iOS update?

And, of course, all we have to go on is the word of a criminal with such a bad reputation that even they seemed ashamed of what they did.

They might be feeling a bit sorry for themselves, as they claim to have paid an initial access broker (IAB) for the access to Kido’s systems and will likely see no return on that “investment”.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
Set up identity monitoring, which alerts you if your personal information is found being traded illegally online and helps you recover after.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.