Hackers say they have stolen the pictures, names and addresses of around 8,000 children from the Kido nursery chain.
The gang of cyber criminals is using the highly sensitive information to demand a ransom from the company, which has 18 sites in and around London, with more in the US and India.
The criminals say they also have information about the children’s parents and carers as well as safeguarding notes.
They claim to have contacted some parents by phone as part of their extortion tactics.
The BBC has contacted Kido for comment but has not had a response.
The company has not released any public statements about the hack but parents and nurseries have been notified.
Cyber-security firm Check Point described the targeting of nurseries as “an absolute new low”.
One of its experts Graeme Stewart said: “To deliberately put children and schools in the firing line, is indefensible. Frankly, it is appalling.”
Jonathon Ellison, from the National Cyber Security Centre described the hack as “deeply distressing”.
“Cyber criminals will target anyone if they think there is money to be made, and going after those who look after children is a particularly egregious act,” he said.
An employee said the nursery was asking parents not to speak to the media – though some have spoken to the BBC.
“It’s not ideal of course, we would rather they had been using some sort of encryption software,” said one parent, who asked to be referred to as Mary.
“The nursery told us very quickly.”
Mary said her family had received an email from the hackers, who told them what information had been taken.
“It was all very professional and well-written, no spelling mistakes or anything like that,” she said.
“My partner actually works in cyber-security and we understand these things happen.
“But we do feel the nursery has handled it well.”
And Bryony Wilde, who has one child at a Kido nursery in London, told the BBC the children whose data was taken were “completely innocent victims”.
“They are kids – their personal details shouldn’t be worth anything,” she said.
“You are probably prepared to go a little bit further to protect children’s privacy and personal details.”
The hacking group responsible for the claims appears to be relatively new and calls itself Radiant.
The cyber criminals contacted the BBC about the hack and have subsequently posted details of it to their darknet website.
It has published a sample of data there including pictures and profiles of 10 children from the stolen data set.
It has been published as part of their attempt to extort money from the nursery chain, which has its 18 nurseries mostly in the London area.
Police advise not to pay ransoms as it further fuels the cyber-crime ecosystem.
When asked by BBC News if they felt bad about extorting a nursery using the children’s data, the criminals said they “weren’t asking for an enormous amount” and they “deserve some compensation for our pentest.”
A “pentest” – or penetration test – is the term for when ethical hackers are hired to assess the security of an organisation in a controlled and professional way.
These hackers however attacked the nursery chain without their permission.
“Of course” it’s about money, they admitted to the BBC.
The hack is the latest in a series of high-profile cyber-attacks, which has seen production grind to a halt at Jaguar Land Rover, and caused massive disruption to M&S and the Co-op.
Rebecca Moody, head of data research at software firm Comparitech, said the nature of the data posted online raised “alarm bells”.
“We’ve seen some low claims from ransomware gangs before, but this feels like an entirely different level,” she said.
She said the firm should contact anyone affected by the data breach “as a matter of urgency”.
The Metropolitan Police told the BBC it had received a referral on September 25 “following reports of a ransomware attack on a London-based organisation”.
“Enquiries are ongoing and remain in the early stages within the Met’s Cyber Crime Unit,” it said.
A spokesperson from the Information Commissioner’s Office said: “Kido International has reported an incident to us and we are assessing the information provided.”
Additional reporting by Graham Fraser, Technology reporter, and Kate Moore, News reporter.