UK ICO reports students caused over half of school data breaches, showing kids are shaping cybersecurity in unexpected ways.
The UK Information Commissioner’s Office (ICO), students were responsible for most of the data breaches suffered by the schools in the country.
The U.K.’s independent regulator for data protection and information rights also reported that nearly one-third of insider attacks came from students guessing weak passwords or spotting them written on scraps of paper.
“Children are hacking into their schools’ computer systems – and it may set them up for a life of cyber crime. That’s the warning from us, as we have spotted a worrying pattern behind the culprits responsible for personal data breach reports from schools.” reads the alert issued by UK ICO.
Between January 2022 and August 2024, ICO researchers reviewed 215 insider data breach reports from the education sector and found students were responsible for most of the incidents. They caused 57% of all cases and 97% of breaches tied to stolen login details. The NCA warns that one in five children aged 10 to 16 admit to illegal online activity, with referrals starting as young as seven. Many teen hackers are English-speaking males, but girls also take part, with about 5% of 14-year-olds admitting to hacking. Kids hack for many reasons—dares, revenge, rivalries, status, or money—showing how curiosity often crosses into cybercrime.
“Whilst education settings are experiencing large numbers of cyber attacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality.” said Heather Toomey, Principal Cyber Specialist.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.”
“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.” Toomey added.
An analysis of 215 insider breaches in schools shows clear patterns. Poor data protection drives 23% of incidents, with staff misusing data, leaving devices unattended, or letting students use them. The experts also reported that staff sending data to personal devices causes 20% of the incidents, while 17% stem from misconfigured systems like SharePoint. Only 5% of the incidents involved insiders using advanced methods to bypass security. These findings highlight how weak practices and human error fuel most school cyber incidents, while a minority show deliberate, skilled attempts to break defenses.
In one case reported by ICO, three year 11 students broke into their school’s system holding data on 1,400 classmates. Curious about IT and cyber security, they tested their skills with password-cracking tools from the web. Two even admitted being part of an online hacking forum.
The NCA urges parents to talk with children about online behavior, warning that small “pranks” can become cybercrimes with serious consequences. Examples include logging into a friend’s account without permission, misusing saved credit cards, or hacking into devices. The NCA’s Cyber Choices program offers resources to guide kids in using their tech skills positively and to help families understand the risks of cybercrime.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
