Children’s Data Stolen from Nursery Published on Dark Web

This week on The Awareness Angle:

UK government pushes ahead with a compulsory digital ID scheme, raising big questions over privacy, access, and trust
Hackers breach a nursery chain, leaking children’s profiles and even calling parents to pressure a ransom
Cybercriminals ramp up attacks on law firms, exploiting weak systems to grab sensitive client data

Plus: npm cracks down on package security, Gartner claims deepfake phone scams are everywhere, and cookie pop-ups might finally be on the way out

Listen on your favourite podcast platform - Spotify, Apple Podcasts and YouTube

Listen Now

Podcast · Risky Creative

Cyber Security Awareness Month videos with Hoxhunt

We’ve teamed up with Hoxhunt again this year to create a series of short, snappy videos for Cyber Security Awareness Month. Each one is just one to two minutes long and covers social engineering in messaging apps, the psychology behind social engineering, how AI is powering spear phishing, and how to spot deepfakes. They’re quick, practical, and perfect for sharing with your colleagues, friends, or family. You can grab them directly from the Hoxhunt toolkit, and there are unbranded versions if you’d like to use them in your own awareness programmes.

Get the toolkit here - https://hoxhunt.com/cybersecurity-awareness-month-toolkit-2025

This week's stories...

UK Digital ID scheme announced

Watch the discussion - https://youtu.be/_d_U0lnxO3Y?t=861

Prime Minister Keir Starmer has confirmed plans for a compulsory UK-wide digital ID scheme, positioned as a way to modernise public services and tackle illegal working. A consultation will look at how it could be made accessible to people without smartphones or passports, with government figures pointing to countries like Estonia as examples of how such systems can underpin everyday life. Supporters say a digital ID could streamline everything from renting a flat to applying for childcare.

But the proposal has already sparked fierce opposition from civil liberties groups and political opponents who argue it’s intrusive, unworkable, or a distraction from more pressing issues. A centralised system of identity raises huge questions around surveillance, resilience, and trust, especially if one outage could lock millions of people out of work, healthcare, or banking. Like any major shift in how citizens prove who they are, it’s likely to attract misinformation and confusion. Communicating the real purpose and limits of the scheme will be a huge challenge for government, and educating people clearly will be just as important as the technology itself.

∠The Awareness Angle

Privacy and trust – Citizens need to know how their most personal data will be stored, accessed, and protected.
Access and exclusion – Those without digital devices or technical skills must not be locked out of essential services.
Security and reliability – A national ID scheme creates a single, tempting target for attackers and outages alike.

Hackers Target UK Nursery Chain

Watch the discussion - https://youtu.be/_d_U0lnxO3Y?t=1142

Hackers calling themselves Radiant have breached the Kido nursery chain, stealing and publishing sensitive profiles of children, parents, and staff. In a disturbing twist, they even phoned parents directly to pressure the company into paying a ransom, taking the threat out of boardrooms and into family homes. Kido has confirmed the attack, while pointing to the childcare software provider Famly as the source, though Famly denies its systems were compromised.

This one feels different. We often talk about financial data or business disruption, but this is children’s names, photos, and family details being posted online. It shows that criminals don’t care about the emotional impact of their actions, only the leverage they can get. The backlash has been fierce, with many saying targeting nurseries crosses a line, but lines don’t really exist for groups motivated purely by money. For families caught up in this, the fear and distress go well beyond the usual narrative of “data breach.”

∠The Awareness Angle

Escalation of tactics – Directly contacting parents shows how ransomware groups are turning up the pressure.
Children’s data at risk – Even the most sensitive and personal information can be exploited when criminals see value.
Third-party software risk – The breach highlights how supply-chain weaknesses can spill over into childcare and education.

Cybercriminals Target Law Firms

Watch the discussion - https://youtu.be/_d_U0lnxO3Y?t=1337

Cybercriminals are increasingly going after law firms, drawn to the treasure trove of sensitive client data they hold. From financial records and ID documents to contracts and legal strategies, it’s a goldmine for anyone who manages to get in. Weak passwords, outdated systems, and a lack of staff training are making it far too easy. Recent reports suggest that around one in five law firms has faced a cyberattack in the last year, and some of those breaches have already led to lawsuits and costly settlements.

What makes this especially worrying is how normalised it has become to email highly sensitive information to a solicitor, proof of ID, bank account details, property contracts, without ever really knowing how secure their systems are. Smaller firms may be particularly at risk, running on ageing tech and limited budgets. And while AI is helping some practices streamline work, it’s also arming attackers with tools like deepfakes and more convincing social engineering. For an industry built on trust, the risks are only getting sharper.

∠The Awareness Angle

Human factor – Phishing, vishing, and social engineering remain the easiest way into legal systems.
Tech hygiene – MFA, regular patching, and proper access controls are non-negotiable for protecting client data.
AI as a threat – Deepfakes and AI-enabled scams are raising the stakes for an industry that can’t afford to get it wrong.

Do you have something you would like us to talk about? Are you struggling to solve a problem, or have you had an awesome success? Reply to this email telling us your story, and we might cover it in the next episode!

Awareness Awareness

SANS Security Awareness Summit 2025 – Videos Now Live

If you work in awareness or you’re just curious about how the best in the industry do it, the SANS Security Awareness Summit is the place to look. Every talk from this year’s summit is now on YouTube, covering everything from culture and psychology to storytelling and phishing simulations. With 350 people in the room and over 4,000 watching online, it’s the biggest event of its kind.

There are plenty of gems, but one that really stood out was Erin West’s keynote on nation-state scams. What used to be called pig butchering has evolved into large-scale romance scams run like industrial operations, with jaw-dropping evidence and a delivery that had the whole room gasping. It’s the kind of talk that could easily be a BBC documentary. If you only watch one video, make it that one, but honestly, the whole playlist is worth your time.

Watch the full playlist – https://www.youtube.com/playlist?app=desktop&list=PL_zMFkM-50Ub7R5x6mrl0p0xQqgUzlKlL

Coming up on Risky Creative

We’ll be releasing more interviews we recorded at the summit over the next week on our YouTube channel. These include conversations with vendors and awareness professionals, each offering a different take on the challenges and opportunities in our field. Keep an eye out, they’ll be dropping daily.

You can watch the chats we've already released on YouTube - https://www.youtube.com/playlist?list=PLEsOj51Q0PfBkhHwg2BTlxB6kfutJO1c3

This Week's Discussion Points...

News

Jaguar Land Rover cyberattack halts production, supply chain hit hard
Watch | Read

Ransomware disrupts major European airports via Collins Aerospace software
Watch | Read

UK government to launch compulsory digital ID scheme
Watch | Read

Hackers threaten to leak children’s data from Kido nurseries
Watch | Read

Law firms increasingly targeted for sensitive client data
Watch | Read

GitHub strengthens npm supply chain security after worm attacks
Watch | Read

Nearly half of businesses report deepfake audio attacks on staff
Watch | Read

Tired of cookie pop-ups? EU looks to scrap consent overload
Watch | Read

Subscribe to the Newsletter

https://www.riskycreative.com

Thanks for reading! If you’ve spotted something interesting in the world of cyber this week — a breach, a tool, or just something a bit weird — let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.

And finally…Cookie Pop-Ups Could Soon Disappear

Watch the discussion - https://youtu.be/_d_U0lnxO3Y?t=2428

Good news for anyone who’s sick of clicking “accept” every time they open a website — the EU is looking at scrapping the rules that created cookie pop-ups in the first place. The 2009 e-Privacy Directive was supposed to give people more control over their data, but instead it’s left us drowning in banners. Now regulators are talking about letting people set their preferences once in their browser and be done with it.

It sounds small, but it could change how billions of us experience the internet. Privacy groups are already worried it’ll mean more tracking with less say for users, while businesses argue it’s about time we ditched the pop-up overload. And honestly, that’s the story of cyber in a nutshell — everything ends up as a fight between compliance and convenience. The trick is finding a balance that doesn’t annoy everyone while still keeping our data safe.

∠The Awareness Angle

User experience vs privacy – Fewer pop-ups could be great, but only if people still stay in control.
Global impact – EU rules usually spread far beyond Europe, so this could change things everywhere.
Compliance vs convenience – Cookie banners are just one example of the constant trade-off in security decisions.