PhD|| Visiting Lecturer || Multi-Award winning Cybersecurity Professional || Teacher|| Keynote Speaker|| Cybersecurity Career Coach and Mentor|| Cyblack||
Day 1/31 “When Innocence Was Exploited” Kido International - 2025 A cyber-attack hit an institution built on care, where trust is everything. Few days ago, a criminal group calling itself Radiant claimed to have breached Kido International (A nursery chain with 18 UK sites and additional sites overseas). The group reportedly stole personal information of about 8000 children. The attackers published profiles of 20 children on a darknet leak site, and private data of employees. They contacted some parents and carers, threatening to post more information, unless Kido pays a ransom. The stolen data includes children’s names, photographs, DOBs, home addresses etc. Multiple reports indicate the breach involved third-party systems. Community Challenge The attackers claimed they "deserve to be compensated for their pentest” Was this truly a penetration test? Explain why or why not.
Not a penetration testing because there was no authorisation to run the test prior to that. It’s a ransomware attack, in my opinion.
It definitely wasn't a penetration test. Beyond the organization involved, the parents were left emotionally troubled, sensitive information was stolen and funds lost. If Radiant really wanted to carry out a pentest on kido, there's a right way to it, which was known to them.
No, because they weren’t authorized to test or exploit vulnerabilities ethically. A true pentest is always authorized by the organization, with clear scope and consent. What Radiant did was clearly criminal. Stealing sensitive data, leaking it on the dark web, and demanding ransom. If their aim was to highlight vulnerabilities, they could have just followed responsible disclosure channels. Instead, they weaponized the data of children in demand for money. Happy awareness month month Mama
There is a clear difference between penetration testing and unethical hacking. For a pentest, there will be an agreement between the asset owner and the pentester that will dictate the rules of engagement. Also, if they want to claim it's a black box testing or a random discovery, getting the PII and leaking it already shows a malicious intent.
This is not a penetration testing because there was no authorization from Kido to allow Radiant to go through their system. Also, in penetration testing, the vulnerabilities found are summarized and sent to the management of the company not exploited.
Fatai Asekun
3w
The fact that the data were released on darknet sites and victims were threaten already signifies that this is not a penetration testing. Also they breach in without legal authorisation is another point to prove that.
This definitely isn’t a penetration test, it’s a clear cyberattack. Real pentests are authorized, scoped, and focused on strengthening security, not exposing data or demanding ransom.
A Penetration Test or pentest is an ethical simulated cyberattack on an organizations network, computer system, application, website, database (think of what connects the organization within and outside it) to identify security vulnerabilities before malicious actors can exploit them. It’s important to note that: 📝 a Pentest is ethical and permitted by the organization ✨ there must be a scope to authorize the test and boundaries of the testing 📝 the test is done in the best interest of the organization as it is a compliance requirement and helps them to maintain their reputation. Per the above, this was not a Pentest.
This is not a PenTest. The organisation will contact you to carry out a PenTest. And it will have a define scope. The exposure of private details online has damaged that Care business that was built on trust. This is a clear case of ransom ware and with this even if the ransom is paid you can not guarantee they will keep to the deal.
B.Sc Computer Science | Aspiring Cybersecurity Analyst | GRC Trainee at ICDFA
3wThis definitely is not pentesting because: 1. Radiant did not have authorized access from Kido 2. Some of the children’s PII were released on the dark web 3. Kido was asked to pay Radiant to stop them from posting more information, this is a clear case of a ransomware attack because a ransom was requested.