The recent cyberattack on Kido, a UK nursery chain, has sent shockwaves through both the education sector and the wider business community. As a solicitor advising companies on cyber risk, the Kido incident is a stark reminder of the evolving threat landscape and the profound legal, reputational, and human consequences of a data breach.
The attack: a new low in cybercrime
In late September 2025, hackers operating under the name “Radiant” infiltrated Kido’s systems, stealing highly sensitive data—including names, addresses, photographs, and medical records—of around 8,000 children and their families. The attackers demanded a ransom, threatened to leak more data, and even contacted parents directly, urging them to pressure the nursery to pay up. The public backlash was so intense that the hackers eventually removed the data and issued an apology, but the damage—both emotional and reputational—was already done.
Why this matters for all companies
While the Kido case is particularly harrowing due to the nature of the data and the vulnerability of the victims, it is symptomatic of a wider malaise. Cybercriminals are increasingly targeting organisations of all sizes and sectors, exploiting weak links in supply chains, third-party platforms, and human error. No business is immune.
Legal and regulatory duties: what should companies do?
As solicitors, our role is to help clients navigate the immediate aftermath of a cyberattack and to prepare robust defences in advance. Below are some brief (we say brief as if we were engaged to advise, the advice that we would give would be far more specific and all encompassing) points as to how to tackle an incident if it arises:
- Immediate incident response
- Contain and investigate: Work with IT and cyber specialists to isolate affected systems, preserve evidence, and understand the scope of the breach.
- Regulatory notification
- ICO and GDPR: If personal data is compromised, you must notify the Information Commissioner’s Office (ICO) within prescribed timescales. Failure to do so can result in significant fines and reputational harm.
- Communicating with clients and stakeholders
- Transparency: Be honest and prompt in communications with affected individuals. Provide clear information about what happened, what data was involved, and what steps are being taken.
- Managing ransom demands
- Legal and ethical issues: Paying a ransom is fraught with legal and ethical risks, including potential breaches of anti-money laundering laws. Always seek legal advice before considering any payment.
- Learning Lessons and Strengthening Defences
- Review and Test Plans: Regularly test your incident response and business continuity plans. Ensure all staff receive up-to-date cyber awareness training.
The human cost: beyond the legal checklist
The Kido attack is a chilling example of how cybercrime can have real-world consequences for individuals—especially the most vulnerable. For companies, the reputational fallout can be severe, and the emotional toll on staff and clients should not be underestimated.
Final thoughts: a solicitor’s perspective
Cybersecurity is no longer just an IT issue—it is a board-level, legal, and reputational risk. As solicitors, we must help our clients prepare for the worst, respond effectively when the unthinkable happens, and support those affected with empathy and professionalism.
If your organisation is concerned about cyber risk, now is the time to review your policies, test your plans, and ensure you have the right legal and technical support in place. The Kido case is a warning to us all: in the digital age, vigilance and preparation are not optional—they are essential.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in civil disputes, insolvency, inheritance disputes, data breach claims and defamation claims.
If you have any questions concerning the subjects discussed in this article, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us