A hacker threatens to release personal information and photographs of thousands of nursery children online unless a ransom is paid.

Identified by the alias Shine, the hacker compromised the UK-based Kido Nursery chain and revealed the profiles of 10 children online on Thursday. Their Dark Web site features a “Data Leak Roadmap,” indicating plans to “publish 30 profiles of personal data for each child and 100 employees.”

A cybersecurity briefing reviewed by the Guardian suggests that Radiant is a new entity within the cybercrime landscape, “pushing the limits of morality and practicality.”

The group’s online content demonstrates proficient English skills; however, there are hints they may not be Western, attributed to a “slight awkwardness” in their phrasing, the analysis indicates.

The Radiant Gang’s “leak sites”—a common strategy in ransomware attacks displaying victim data on the dark web—contain 10 Kido customer profiles for parents, which include the child’s name, date of birth, parent’s and grandparent’s names, as well as address and phone number.

The site claims to possess sensitive information on over 8,000 children and their families, documenting incidents, protection reports, and claims. All Kido nurseries in the UK have reported being impacted.

The leak site mentioned its efforts to negotiate with Kido, stating, “It’s slowly leaking, which undermines the entire company and prompts them to continue the dialogue.”

A spokesperson from Kido stated: “We have recently identified and responded to cyber incidents. We are collaborating with external experts to investigate and determine the details of what occurred. We will promptly inform both our families and relevant authorities and maintain close communication with them.”

The nursery chain is collaborating with authorities, including the intelligence committee’s office, Ofsted, and the Metropolitan Police, which is currently conducting an investigation.

An email from Kido UK CEO Catherine Stoneman, reviewed by the Guardian, noted a “complex” forensic investigation and emphasized treating the incident as a “first priority.” She suggested that the breach involved “two third-party systems responsible for processing certain data.”

Stoneman elaborated: “If we confirm that family information has been compromised, affected families have been contacted. If you have not received direct communication, that means there is no forensic evidence indicating your data has been impacted.”

With 18 locations across London, the US, India, and China, Kido informed parents that the breach occurred due to criminal access to data hosted on a software service known as Famly.

Famly’s CEO, Anders Laustsen, stated: “We will conduct a comprehensive investigation into this matter to ensure that Famly’s security and infrastructure have not been compromised.

One parent shared with the BBC that she received a threatening phone call from a hacker.

Sean, whose child attends Kido Nursery in Tooting, southwest London, expressed that neither he nor any parents he knew had been directly informed by the nursery about the potential compromise of their children’s data. “How could they obtain details for specific kids, not just generally? That’s the real issue,” he remarked.

Sean noted that he viewed the risk of real-time information regarding children—such as through cyberattacks—as a necessary trade-off for using the app. He empathized with nursery staff who bear the brunt of parental complaints, pointing out that the app provider should be held accountable.

“One of the obviously alarming aspects is that anyone could stoop to such depths to extort money from a nursery while using children as leverage,” he said.

Authorities are cautioning businesses against paying hacker ransoms to help prevent the perpetuation of criminal activities, as cyberattacks continue to escalate in frequency.

Recent high-profile victims include Co-ops, Marks & Spencer, and Jaguar Land Rover. Many of these attacks have been linked to an English-speaking cybercrime group known as “scattered spiders.”

The M&S hack utilized ransomware commonly associated with Russian-speaking cyber gangs, including software designed to lock target IT systems.

The BBC communicated with criminals via the Signal messaging app, found them fluent in English but learned that it wasn’t their primary language, and they employed others for calls.

The hacker remarked, “We do it for profit, not just for the sake of being criminals. I know I’m committing crimes and this isn’t my first or my last.”

They added that the public scrutiny was too intense, leading them to refrain from targeting nurseries again.