Two teenaged boys have been arrested following a cyber-attack and attempted extortion of a London nursery group, the Metropolitan Police has revealed.
Officers arrested the duo in the Hertfordshire town of Bishop’s Stortford on Tuesday on suspicion of computer misuse as well as blackmail.
The capital’s police force had been referred the case by Action Fraud on September 25 following the ransomware attack on the Kido nursery group.
Reports suggest that threat actors had tried to extort £600,000 in Bitcoin from the company after stealing data including names, addresses and photos of around 8000 children, plus contact details for parents and carers.
These were reportedly accessed via the nursery’s Famly account, although the app provider confirmed that its own infrastructure was not breached.
Read more on cyber-threats facing nurseries: UK Nurseries Get First Official Cyber-Attack Warning
Dubbing their group “Radiant,” the hackers called parents directly to put the pressure on the group to pay up and posted photos of some of the children on the dark web, according to the BBC.
They reportedly had a change of heart after widespread condemnation of the attack, first blurring the photos and then claiming to have deleted them.
Will Lyne, the Met’s head of economic and cybercrime, claimed officers had been working “at pace” since the attack to apprehend the culprits.
“We understand reports of this nature can cause considerable concern, especially to those parents and carers who may be worried about the impact of such an incident on them and their families,” he added.
“We want to reassure the community and anyone affected that this matter continues to be taken extremely seriously.”
However, Lyne hinted that the force’s inquiries continue.
“These arrests are a significant step forward in our investigation, but our work continues, alongside our partners, to ensure those responsible are brought to justice,” he said.
Children in the Crosshairs
Children’s data is a popular commodity on the dark web, as victims always have a clean credit history and related fraud often goes unrecognized for years.
Several years ago, the annual cost of child identity theft in the US was estimated at nearly $1bn.
Given both the data it holds and its low tolerance for outages, the education sector is also a popular target for ransomware.
However, a large share of data breaches impacting schools are actually perpetrated by students. An ICO report from last month claimed 57% of insider breaches in UK schools could be explained in this way.
Thanks to the activities of Scattered Spider, Lapsus$ and Shiny Hunters, the criminal activities of teens have also been making headlines recently.
A report from last year claimed that a fifth of 10-16-year-olds have committed offenses online.
