Joe TidyCyber Correspondent, BBC World Service
Hackers who attempted to extort a nursery chain by posting stolen images and data about children on the darknet have removed the posts and claim to have deleted the information.
The criminals began posting profiles of the children to their website last Thursday, adding another 10 children days later and vowing to continue until Kido Schools paid a ransom in Bitcoin.
The criminals also contacted parents directly with threatening phone calls whilst trying to get their ransom paid.
But public revulsion at their attack appears to have forced the criminals to backtrack.
First they blurred the images but kept the data up – now they have taken all the information offline, and apologised for their actions.
Their apparent change of heart has been met with scepticism by experts, who had previously condemned the targeting of nurseries as a “new low” for cyber-criminals.
“This is more about pragmatism than morality,” said cyber-security expert Jen Ellis.
“These criminals are clearly shocked and worried by the attention their hack has caused and they are trying to protect themselves or their brand.”
The hackers claim to have deleted everything they took – which included the private details and pictures of around 8,000 children as well as contact information for parents and carers.
“All child data is now being deleted. No more remains and this can comfort parents,” one of the cyber-criminals involved told the BBC.
It’s understood Kido have not paid the hackers a ransom which was thought to be around £600,000.
Past cases have shown that hackers often say they have deleted stolen data and been found to have kept it or sold it on.
When the UK’s National Crime Agency took down the cyber crime gang LockBit they discovered troves of data still on the criminal’s servers that victims had paid to be deleted.
The nursery hackers, calling themselves Radiant, appear to be concerned that their hack has crossed an undefined moral line since the public outcry began against them.
“We are sorry for hurting kids,” the cyber-criminals told BBC News.
It’s not known who the hackers or hacker are but they appear to be a new and possibly inexperienced group.
Their darknet site is newly created but they claim to have carried out other hacks in the past.
This isn’t the first time that cyber-criminals have backtracked on an attack.
In 2020 a gang using Dopplepaymer ransomware gifted their encryption key to a German hospital after the chaos contributed to the death of an emergency care patient.
When Conti hackers attacked the Irish Health Service in 2021 they too gave their antidote away for free claiming not to have deliberately targeted hospitals.
Months before, criminals from the Darkside group took the strange decision to post proof that they had donated some of their ill-gotten bitcoin to charities.
The nursery hackers claimed they broke into the nursery’s systems by buying access to one of Kido’s staff computers which was compromised by a separate hacker.
In a common process, the “initial access broker” sold the Kido access to Radiant, which went on to further infiltrate Kido’s systems and steal the data.
The majority of the downloaded material including the pictures of children was taken from Kido’s account with Famly – a popular early years education platform .
Famly has rejected Kido’s message to parents that the breach happened as a result of Famly being compromised.
It has stressed to the BBC that neither the security or infrastructure of the platform has been compromised at any point.
Kido did not respond to a request for comment about the way the hackers stole the data.
A spokesperson said only that: “We recently identified and responded to a cyber incident. We are working with external specialists to investigate and determine what happened in more detail.
“We swiftly informed both our families and the relevant authorities and continue to liaise closely with them.”
Radiant says it paid the initial access broker money for access to Kido’s system.
So with Kido refusing to pay and the hackers giving up their extortion attempt the criminals appear to have actually lost money in this cyber-attack.
