Over half (57%) of insider data breaches in UK schools are caused by students, with many children being set up for “a life of cybercrime,” a new report from the Information Commissioner’s Office (ICO) has found.
The regulator analyzed 215 personal data breach reports caused by insider attacks in the education sector between January 2022 and August 2024.
Around a third (30%) of these incidents were caused by stolen login details. Students were responsible for 97% of such attacks, using tactics such as guessing weak passwords or finding them jotted down on bits of paper.
In one example highlighted in the investigation, three Year 11 students, which encompasses the ages 15-16, unlawfully accessed a secondary school’s information management system, which held personal information of more than 1400 students. The hackers used tools downloaded from the internet to break passwords and security protocols.
When questioned, the students said they wanted to test their cyber skills and knowledge, with two of them admitting that they belong to an online hacker forum.
In another case, a student unlawfully accessed a college’s information management system, then viewed, amended or deleted personal information belonging to more than 9000 staff, students and applicants. Access was gained through a staff member’s login details.
“Children are hacking into their schools’ computer systems – and it may set them up for a life of cybercrime. That’s the warning from us, as we have spotted a worrying pattern behind the culprits responsible for personal data breach reports from schools,” the ICO wrote in the study published on September 11.
The findings come after the National Crime Agency (NCA) reported that one in five children aged 10 to 16 have engaged in illegal activity online.
In 2024, the youngest referral to the NCA’s Cyber Choices program, an initiative encouraging people to use cyber skills in a legal way, was a seven-year-old child.
The Need to Channel Cyber Curiosity
The ICO urged parents to have regular conversations with their children about their online activities and the choices they are making.
Heather Toomey, Principal Cyber Specialist at the ICO, commented: “It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.”
Former white hat hacker and chief security evangelist, Veracode, Chris Wysopal, argued that the ICO findings are a consequence of the limited entry-level opportunities in cybersecurity.
“Many of the pupils engaging in this behaviour aren’t hardened criminals, but curious minds testing boundaries in a safe environment,” he said.
“Not every teenager who experiments with passwords or systems should be branded a criminal for life. Instead, schools and the wider industry need to do more to channel this curiosity into legitimate cyber careers. The same curiosity that leads to mischief in the classroom can, with the right guidance, become the foundation of a vital skillset the UK desperately needs in its cyber workforce,” Wysopal added.
Staff Error and Poor Data Practices Prevalent
The ICO report found that 23% of insider breaches in schools were caused by poor data protection practices. These include staff accessing or using data without a legitimate need, devices being left unattended and students being allowed to use staff devices.
A fifth (20%) of incidents were caused by staff sending data to personal devices, while 17% were attributed to incorrect set up or access rights to systems such as SharePoint.
Insiders using sophisticated techniques to bypass security and network controls were identified in 5% of insider breaches.
Read now: Ransomware Payments Plummet in Education Amid Enhanced Resiliency
