Cybercriminals who stole pictures and the private information of thousands of nursery children have deleted the data after a backlash against the hack.
A gang calling themselves Radiant have removed details of children at the UK-based Kido nursery chain from a website it had set up to extort victims.
A screenshot of the site, seen by the Guardian, no longer displays children’s profiles from the hack. It now displays a Kido logo with “view more” underneath it, but a cybersecurity source said the link did not work – implying that the data has been removed.
A Kido spokesperson confirmed the attackers had removed information that they had previously published.
The spokesperson said: “Throughout this incident we have followed guidance from the authorities that discourages ransom payments as they only fuel and incentivise further criminal activity. We continue to work closely with families, regulators, law enforcement and our cybersecurity experts to investigate and take active steps to confirm that the data is permanently deleted.”
The BBC first reported the deletion and quoted one of the hackers who said: “We are sorry for hurting kids.”
The targeting of children was widely criticised, with cybersecurity analysts describing the hack as “appalling” and “testing the boundaries of morality”. One parent whose child is at a Kido nursery in London said the hackers were “sinking to new depths”.
The Guardian has also seen evidence of Radiant gang members on an underground cybercrime forum being told by criminal peers to refrain from attacking children.
On Wednesday a member of Nova, a gang that offers hacking services to fellow criminals, told a persona called Radiant on the Russian Anonymous Market Place forum: “reputation important, don’t attack child right”. Radiant replied that they “have disabled any attacks relating to them, is not allowed any more” and added: “Any data relating to under 19s who attended have been deleted.”
The leak site and forum posts were screenshotted by analysts at the cybersecurity firm Sophos.
Hacking gangs are sensitive to negative publicity, not least because it raises their exposure to action from law enforcement and disrupts relationships within the hacking community.
Rebecca Taylor, a researcher at Sophos, said: “Even cybercriminals know some lines can’t be crossed. Radiant learned that stealing data belonging to children doesn’t just attract attention, it burns credibility. It erodes any legitimacy they claim, particularly as they appear to be a newly formed group.”
Taylor said “credibility is king” for groups demanding ransoms for stolen data because it gave them leverage in negotiations. The BBC reported that Radiant had demanded £600,000 in bitcoin from Kido to return the data but that Kido had not paid the ransom.
“Deleting the data wasn’t an act of kindness, it was damage control. This was a rare moment when morality and self-interest briefly aligned,” Taylor said.
However, the revamped Radiant leak site – the term for such portals – appears to be ready for more victims, with a search bar for finding companies that have been hacked by the group, plus details of how to contact the group via Tox, an encrypted messaging service.
Although Radiant has shown a proficient command of English in its communications, analysts believe the group could be non-western. Most ransomware groups – groups who encrypt a company’s IT files and steal data – are from states from the former Soviet Union. Radiant appears to be a new group within cybercrime circles, according to analysts.
Prior to the deletion, one woman told the BBC she had received a threatening phone call from the criminals who said they would post her child’s information online unless she put pressure on Kido to pay a ransom. Kido has nurseries on 18 sites around London and more in the US, India and China.
Radiant had claimed to have sensitive data on more than 8,000 children and their families, including accident and safeguarding reports, as well as billing information. It said all Kido nurseries in the UK were affected.
One cybercriminal told the BBC: “All child data is now being deleted. No more remains and this can comfort parents.”
