Cyber Security Unity is a global community and content hub that is dedicated to bringing individuals and organisations together who actively work in cyber security. The aim of Cyber Security Unity is to foster greater collaboration in the industry to help combat the growing cyber threat. Our work is showcased through the provision of strong thought leadership via blogs, articles, white papers, videos, events, podcasts and more. For more information visit www.csu.org.uk.

By Lisa Ventura MBE FCIIS, Chief Executive and Founder of Cyber Security Unity

The news that broke this week about the cyber attack on Kido nursery chain has sent shockwaves through the early years sector and beyond. Photos, names and addresses of around 8,000 children are understood to have been stolen in a cyber attack against nursery group Kido, with the hacker gang Radiant Group claims it is holding the information in demand for a ransom.

This incident strikes particularly close to home and is abhorrent in every way. Not only does it represent a devastating breach of trust for the families affected, but it also highlights the uncomfortable reality that cyber criminals will target anyone, including our most vulnerable citizens: children.

The Human Cost Behind the Headlines

Before we delve into the technical aspects and protective measures, I want to acknowledge the very real human impact of this attack. My thoughts are with everyone involved at Kido who will be working round the clock to understand what happened and to fix things. The team there will undoubtedly be experiencing enormous stress as they navigate this crisis, and the impact on their mental health and wellbeing cannot be understated.

The cyber security incident response process is incredibly demanding, both technically and emotionally. When you’re dealing with the personal data of children including photographs, names, and addresses, the weight of responsibility becomes almost overwhelming. I’ve seen first-hand how cyber incidents affect the professionals who must respond to them, and I want those at Kido to know that the cyber security community understands the pressure they’re under.

For the parents and families affected, this represents one of their worst fears realised. The organisations we trust most such as schools, nurseries and healthcare providers are supposed to be safe havens for our children’s information. When that trust is broken, it creates anxiety that extends far beyond the immediate technical impact.

The Stark Reality of Modern Cyber Crime

Jonathon Ellison, NCSC Director for National Resilience, described the incident as “deeply distressing”, noting that “Cyber criminals will target anyone if they think there is money to be made, and going after those who look after children is a particularly egregious act”.

This attack on Kido, which has 18 sites in the UK – 17 in London and another in Windsor, demonstrates several concerning trends in modern cyber crime:

Children as Soft Targets: Kids aren’t immune to identity theft, and an increasing number of them are encountering identity fraud before turning 18. Children make attractive targets because children won’t need to look at their credit report for up to 18 years, giving hackers plenty of time to illegally use a child’s information without being noticed.

Ransomware Evolution: Modern ransomware groups don’t just encrypt systems, they steal data first and threaten to publish it, creating multiple pressure points for victims.

Sector Targeting: Early years settings often have limited cyber security resources compared to larger enterprises, making them attractive targets for organised criminal groups.

What Parents Can Do: Practical Steps for Protection

While we cannot control whether the organisations that hold our children’s data will be attacked, we can take steps to protect our families from the potential consequences:

Immediate Actions

Monitor for Unusual Activity: Watch for any unexpected communications about your child such credit applications, tax notices, or collection calls that shouldn’t exist for a minor.

Check for Existing Credit Reports: Contact the three major credit bureaus to find out if your child may be a victim of identity theft. Most children shouldn’t have credit files, so a response of “no file found” or “information does not match” is good news.

Consider a Credit Freeze: If your child is under 16, request a free credit freeze, to make it harder for someone to open new accounts in your child’s name.

Document Everything: Keep records of all communications related to the incident and any steps you take to protect your child’s identity.

Ongoing Protection Strategies

Educate Your Children: Age-appropriate conversations about online safety and the importance of not sharing personal information are crucial. Teach this proactive approach from an early age, you’ll help your kids develop into adults who know how to stay safe.

Secure Physical Documents: Keep documents with your child’s personal information, like medical bills or their Social Security card, in a safe place, like a locked file cabinet. When disposing of documents, shred them properly.

Review Privacy Settings: Adjust privacy settings and use parental controls for online games, apps, social media sites, and other websites that your children use.

Use Strong Security Practices: Implement family-wide cyber security measures including password managers, multi-factor authentication where possible, and regular software updates.

National Cyber Security Centre Guidance

The NCSC has developed specific guidance for early years practitioners, recognising that “The NCSC has bespoke guidance to help early years settings, such as nurseries, protect themselves from attacks, as well as guidance for individuals who are concerned that their data has been affected by a breach”.

The key pillars of the NCSC’s early years guidance include:

  • Regular Backups: Ensuring all critical data is backed up securely and regularly tested
  • Access Controls: Implementing proper password policies and limiting access to sensitive information
  • Staff Training: Regular cyber security awareness training for all staff members
  • Incident Planning: Having clear procedures for responding to potential security incidents

The NCSC also provides guidance specifically for individuals and families affected by data breaches, emphasising the importance of vigilance and proactive protection measures.

The Broader Challenge: Early Years Cyber Security

This incident highlights a critical gap in sector-specific cyber security provisions. Early years settings face unique challenges:

Limited Resources: Unlike large corporations, many nurseries and early years settings operate on tight budgets with limited IT resources.

High-Value Data: They hold exactly the type of personal information that criminals find valuable such full names, dates of birth, addresses, photographs, medical information about children and often financial information from parents.

Complex Compliance: They must navigate multiple regulatory frameworks including GDPR, safeguarding requirements, and sector-specific guidelines.

Staff Turnover: High staff turnover can make it challenging to maintain consistent security awareness and practices.

Moving Forward: Lessons and Resilience

While this attack represents a serious breach of trust and security, it also provides an opportunity for the entire early years sector to strengthen its cyber defences. Key priorities should include:

Sector Collaboration: Early years providers should share threat intelligence and best practices to help protect the entire community.

Investment in Security: Adequate cyber security should be viewed as essential infrastructure, not an optional expense.

Regular Assessment: Ongoing security assessments and penetration testing should become standard practice.

Staff Empowerment: Every team member should understand their role in maintaining cyber security and feel empowered to report concerns.

A Call for Collective Action

The attack on Kido is not an isolated incident, it’s part of a broader pattern of cyber criminals targeting organisations that care for our most vulnerable citizens. As a community, we must respond with determination and solidarity.

For parents, this means taking proactive steps to protect our children’s digital identities while supporting the organisations that care for them in implementing better security measures. For early years providers, it means recognising that cyber security is not just an IT issue—it’s a fundamental duty of care to the children and families you serve.And for policymakers, it means ensuring that adequate resources and support are available to help smaller organisations implement effective cyber security measures.

The cyber criminals who targeted Kido made a calculated decision to attack an organisation caring for children. Our response must be equally calculated and far more determined. Together, we can build a more secure future for our children, both online and offline.
________________________________________________________________________________________________________

For immediate support:

Cyber Security Unity

Cyber Security Unity is a global community and content hub that is dedicated to bringing individuals and organisations together who actively work in cyber security. The aim of Cyber Security Unity is to foster greater collaboration in the industry to help combat the growing cyber threat. Our work is showcased through the provision of strong thought leadership via blogs, articles, white papers, videos, events, podcasts and more. For more information visit www.csu.org.uk.

Share This

Share This

Share this post with your friends!