The UK Metropolitan Police (Met) have arrested two 17-year-old boys in connection with the major ransomware attack that compromised the data of thousands of children at the Kido nursery chain.
The arrests, on suspicion of computer misuse and blackmail, took place on Tuesday, October 7, 2025, in Bishop’s Stortford, Hertfordshire. The operation was carried out by officers from the Met’s specialist Cyber Crime Unit.
Details of the Extortion Campaign
The ongoing police investigation was launched on September 25 after the ransomware group, Radiant, claimed to have stolen sensitive data on approximately 8,000 young children and their families.
The scope of the breach was alarming as the stolen information included names, home addresses, photographs, contact details for parents and carers, and critically, confidential medical records and safeguarding notes. Hackers reportedly gained access to the data through Famly, a third-party software service widely used by the nursery group.
Radiant employed extreme tactics to extort the company. They demanded a ransom of approximately £600,000 in Bitcoin, called parents directly to pressure the nursery into paying, and posted some children’s photos on the dark web.
However, the group faced massive backlash, including criticism from within the cybercriminal community, which resulted in a swift retreat. In a highly unusual turn, Radiant first blurred the images and then claimed to have deleted all the stolen files on October 2. One cybercriminal was quoted by the BBC as stating, “All child data is now being deleted. No more remains, and this can comfort parents.”
Police and Nursery Responses
Following the arrests, Will Lyne, the Met’s Head of Economic and Cybercrime, issued a statement reassuring the community that the force is taking the matter “extremely seriously” and working to bring those responsible to justice.
The Kido nursery group also released a statement welcoming the police action. A Kido spokesperson stated: “We welcome this swift action from the Met and recognise this is an important milestone in the process of bringing those responsible to justice.”
The two boys remain in custody for questioning as the investigation is ongoing.
Education Sector’s Growing Vulnerability
The Kido incident shows just how serious the cyber crisis is for the education sector, which is frequently held back by limited IT funding, making schools and nurseries prime targets for ransomware.
Cybersecurity firms AtlastVPN and Sophos’ June 2023 investigation, reported by Hackread, revealed that 80% of lower education providers were hit by ransomware in one year. Recent findings by Forcepoint’s X-Lab have warned of campaigns using the Remcos (RAT) Remote Access Trojan (RAT), delivered via deceptive phishing emails sent from compromised small business or school accounts to appear trustworthy.
The Kido attack, where children’s data was used for extortion, represents an “absolute new low” in cybercrime, claimed cybersecurity firm Check Point, showing that protecting student data is no longer an IT task but a critical safety and security priority.
