Cybercriminals pilfered photographs and sensitive family data on thousands of children from a UK kindergarten chain and demanded a ransom not to release it. Photo / 123rf
In late September, parents at a chain of British kindergartens got shocking news: They’d been hacked.
Cybercriminals had pilfered photographs and sensitive family data on thousands of children and demanded a ransom not to release it.
A week later, the gang behind the hack contacted parents with news maybe even more shocking: Never mind.
The ransomware group calling itself “Radiant” said yesterday that they were backing down in the face of a growing backlash.
Public revulsion over the targeting of children - probably along with warnings from other cybercriminals to cool it - apparently proved too much even for some of the dark web’s darkest dwellers.
They even apologised.
“We are sorry for hurting kids,” Radiant said to a BBC cybercrime reporter who had been in contact with the gang.
“All child data is now being deleted. No more remains and this can comfort parents.”
What’s this? Shame has reached the shameless shadows of the internet?
Not so much, said cybercrime experts. It was more risk management than stirring morality driving Radiant’s abrupt turnabout.
“I wouldn’t give them too much credit,” said Jamie MacColl, senior cybersecurity research fellow at the Royal United Services Institute, a London think-tank. “But there are some red lines, and this group crossed one of them.”
The wave of public outrage over hacking toddlers - “a new low”, cyber expert Graeme Stewart told Sky News - did play a role, MacColl said.
But the meaningful pressure would have come from inside the virtual villages of hackers and online extortionists, largely centred in Russia and Russian-speaking countries, he said. They didn’t want their own schemes getting extra attention.
“The revulsion comes from the good guys,” MacColl said. “But there will be pressure from the Russian cyber community or even law enforcement because the level of scrutiny they were drawing from Western law agencies is not worth it.”
The incident is part of a cybercrime spree hitting institutions across the United Kingdom, including some iconic brands.
Hackers have stolen customer and employee data from Harrods, Marks and Spencer, and the London Underground system.
The British government recently approved US$2 billion ($3.4b) in loan guarantees for luxury carmaker Jaguar Land Rover and its suppliers after a cyberattack on September 1 brought production to a halt for more than a month.
That didn’t ease the shock of families who were notified on September 25 that Kido schools, a chain with 18 kindergartens in London and outlets in the United States and India, had become the latest target.
Parents described the agonies of having images of their children, along with home addresses and vital details of parents and grandparents, potentially being dumped into the black markets of the web.
Gang members called some parents on their mobile numbers, telling them to demand that the company pay up. They wanted £600,000 ($1,386,500) if parents wanted protection, according to the BBC’s account of its reporter’s exchange with the group.
The hackers said they deserved at least that much for exposing vulnerabilities in the school network.
It’s unclear how the hackers accessed the company’s secure databases. Kido Schools did not respond to a request for comment.
Cyber cops deal with thousands of ransomware attacks a year, but the targeting of children prompted even distant professionals to weigh in, MacColl said. He saw the chatter flare up on the Signal channels that security experts use to swap tips and chase leads.
“This has definitely exercised people,” MacColl said. “You’ve seen it in previous cases of cyber extortion when data from vulnerable groups are posted online.”
“Grey hat” hackers, a category of computer aces who operate on both sides of the law, would have hunted around for those responsible. Radiant was not a known outfit to security ranks, MacColl said, but it had all the earmarks of numerous Russia-based hacker groups.
Britain’s official anti-cybercrime agency advises victims of digital extortion not to pay ransom, which Kido Schools apparently heeded.
After a week without Kido providing the money, Radiant posted the data for 10 of the kids on the dark web. A few days later, they posted 10 more.
By this time, MacColl said, they would have been hearing from other hacker groups, maybe even from Russian law enforcement, who didn’t like all the heat the case was bringing to the hacker ecosystem.
“For the most part, whenever a group is getting too much attention or being too successful, they will be disrupted by Western law enforcement,” MacColl said.
At first, the hackers blurred the faces of the photos they had published. By yesterday, they had thrown in the towel completely, claiming to have deleted all the stolen data and declaring their caper a bust.
Parents can be relieved, cyber experts said, but they can’t be sure Radiant really did purge all their information. Hackers may apologise from time to time, but they’re far more likely to lie.
Sign up to Herald Premium Editor’s Picks, delivered straight to your inbox every Friday. Editor-in-Chief Murray Kirkness picks the week’s best features, interviews and investigations. Sign up for Herald Premium here.