The UK Information Commissioner’s Office (ICO) recently found that students are responsible for most of the data breaches occurring in UK schools. The independent regulator for data protection reported that nearly a third of all insider attacks were the result of students guessing weak passwords or finding them written down. This led the ICO to issue a warning that children hacking into school systems could be a path to a life of cybercrime.
Between January 2022 and August 2024, the ICO reviewed 215 insider data breach reports from the education sector. They discovered that students were the culprits in 57% of all cases and 97% of incidents involving stolen login details. This trend is mirrored by a National Crime Agency (NCA) warning that one in five children between the ages of 10 and 16 admit to illegal online activity, with referrals for such behavior starting as young as seven. While many teen hackers are English-speaking males, about 5% of 14-year-old girls also admit to hacking. The reasons for these actions vary, from dares and revenge to rivalries, status, or money, all of which highlight how curiosity can easily turn into cybercrime.
According to Heather Toomey, Principal Cyber Specialist at the ICO, the “insider threat” is often poorly understood and goes unremedied, which can lead to future harm and criminality. She explained that a simple dare or challenge in a school can lead to children carrying out damaging attacks on organizations or critical infrastructure. Toomey stressed the importance of understanding the next generation’s motivations online to ensure they stay on the right side of the law and can pursue rewarding careers in a field that desperately needs specialists.
An analysis of 215 insider breaches in schools revealed some clear patterns. Poor data protection practices caused 23% of incidents, including staff misusing data, leaving devices unattended, or letting students use them. Staff sending data to personal devices accounted for 20% of incidents, and 17% stemmed from misconfigured systems like SharePoint. The report noted that only 5% of the incidents involved insiders using advanced methods to bypass security. These findings show that weak practices and human error are the main drivers of most school cyber incidents, while a small minority involve deliberate, skilled attempts to break defenses.
In one example cited by the ICO, three 11th-grade students used password-cracking tools to break into their school’s system, which held data on 1,400 classmates. Two of the students even admitted to being part of an online hacking forum. To help address this, the NCA urges parents to talk with their children about online behavior, warning that what might seem like a small “prank” can become a serious cybercrime. The NCA’s Cyber Choices program offers resources to help guide kids toward using their tech skills for good and to help families understand the risks of cybercrime.
Reference:
