Contact The Editor
Articles By This Author
LONDON — In late September, parents at a chain of British nursery schools got shocking news: They'd been hacked. Cybercriminals had pilfered photographs and sensitive family data on thousands of children and demanded ransom not to release it.
A week later, the gang behind the hack contacted parents with news maybe even more shocking: Never mind.
The ransomware group calling itself "Radiant" said Wednesday night that they were backing down in the face of a growing backlash. Public revulsion over the targeting of children - probably along with warnings from other cybercriminals to cool it - apparently proved too much even for some of the dark web's darkest dwellers.
They even apologized.
"We are sorry for hurting kids," Radiant said to a BBC cybercrime reporter who had been in contact with the gang. "All child data is now being deleted. No more remains and this can comfort parents."
What's this? Shame has reached the shameless shadows of the internet?
Not so much, said cybercrime experts. It was more risk management than stirring morality driving Radiant's abrupt turnabout.
"I wouldn't give them too much credit," said Jamie MacColl, senior cybersecurity research fellow at the Royal United Services Institute, a London think tank. "But there are some red lines, and this group crossed one of them."
The wave of public outrage over hacking toddlers - "a new low," cyber expert Graeme Stewart told Sky News - did play a role, MacColl said. But the meaningful pressure would have come from inside the virtual villages of hackers and online extortionists, largely centered in Russia and Russian-speaking countries, he said. They didn't want their own schemes getting extra attention.
"The revulsion comes from the good guys," MacColl said. "But there will be pressure from the Russian cyber community or even law enforcement because the level of scrutiny they were drawing from Western law agencies is not worth it."
The incident is part of a cybercrime spree hitting institutions across the United Kingdom, including some iconic brands. Hackers have stolen customer and employee data from Harrods, Marks and Spencer and the London Underground system.
The British government recently approved $2 billion in loan guarantees for luxury carmaker Jaguar Land Rover and its suppliers after a cyberattack on Sept. 1 brought production to a halt for more than a month.
But that didn't ease the shock of families who were notified on Sept. 25 that Kido schools, a chain with 18 nurseries in London and outlets in the United States and India, had become the latest target. Parents described the agonies of having images of their children, along with home addresses and vital details of parents and grandparents, potentially being dumped into the black markets of the web.
Gang members called some parents on their mobile numbers, telling them to demand that the nursery company pay up. They wanted 600,000 pounds (about $800,000) if parents wanted protection, according to the BBC's account of its reporter's exchange with the group. The hackers said they deserved at least that much for exposing vulnerabilities in the nursery school network.
It's unclear how the hackers accessed the company's secure databases. Kido Schools did not respond to a request for comment.
Cyber cops deal with thousands of ransomware attacks a year, but the targeting of children prompted even distant professionals to weigh in, MacColl said. He saw the chatter flare up on the Signal channels that security experts use to swap tips and chase leads.
"This has definitely exercised people," MacColl said. "You've seen it in previous cases of cyber extortion when data from vulnerable groups are posted online."
"Grey hat" hackers, a category of computer aces who operate on both sides of the law, would have hunted around for those responsible. Radiant was not a known outfit to security ranks, MacColl said, but it had all the earmarks of numerous Russia-based hacker groups.
Britain's official anti-cybercrime agency advises victims of digital extortion not to pay ransom, which Kido Schools apparently heeded.
After a week without Kido providing the money, Radiant posted the data for 10 of the kids on the dark web. A few days later, they posted 10 more. By this time, MacColl said, they would have been hearing from other hacker groups, maybe even from Russian law enforcement, who didn't like all the heat the case was bringing to the hacker ecosystem.
"For the most part, whenever a group is getting too much attention or being too successful, they will be disrupted by Western law enforcement," MacColl said.
At first, the hackers blurred the faces of the photos they had published. By Wednesday night, they had thrown in the towel completely, claiming to have deleted all the stolen data and declaring their caper a bust.
Parents can be relieved, cyber experts said, but they can't be sure Radiant really did purge all their information. Hackers may apologize from time to time, but they're far more likely to lie.
(COMMENT, BELOW)