- ICO finds majority of insider cyber attacks in UK schools caused by students
- Many breaches linked to weak passwords or stolen logins exploited by pupils
- Officials urge schools and parents to guide curiosity into legal positive channels
The Information Commissioner’s Office (ICO) has warned that students are increasingly behind insider cyber attacks in UK schools and colleges.
Between January 2022 and August 2024, the ICO analyzed 215 data breach reports from the education sector involving insider threats.
It found 57% of incidents were caused by students. Nearly a third stemmed from stolen or guessed login details, with pupils responsible for 97% of these cases.
Logging in, not breaking in
While Hollywood has portrayed teenage hackers with a degree of glamour in films such as Ferris Bueller’s Day Off or Hackers, the reality described by the ICO is both more mundane and more damaging.
Children are not breaking into systems but rather logging in, often by exploiting weak passwords or taking advantage of poor data protection practices.
One case highlighted by the ICO showed how quickly curiosity can turn into a serious breach.
“Three Year 11 students unlawfully accessed a secondary school’s information management system, which holds personal information of more than 1,400 students. When questioned, the students admitted being interested in IT and cybersecurity, and that they wanted to test their skills and knowledge. The students used tools downloaded from the internet to break passwords and security protocols, with two of the students admitting that they belong to an online hackers’ forum.”
In another example from the ICO:
“A student unlawfully accessed a college’s information management system, then viewed, amended or deleted personal information belonging to more than 9,000 staff, students and applicants. The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs and emergency contacts. The college’s investigation found the student used a staff login to access its systems. The college reported the incident to the police, to us and Action Fraud.”
The ICO found 23% of incidents in the education sector were caused by poor data protection practices, such as staff accessing records without a legitimate need, leaving devices unattended, or allowing pupils to use staff devices.
Another 20% involved staff sending data to personal accounts, while 17% came from poorly configured access rights.
5% involved insiders deliberately bypassing network security.
“Whilst education settings are experiencing large numbers of cyber attacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality,” Heather Toomey, Principal Cyber Specialist, said.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organizations or critical infrastructure.”
The ICO is urging schools to strengthen training, reduce unnecessary access, and ensure data protection is updated regularly.
Parents are also being encouraged to talk openly with their children about online behavior, with the aim of steering curiosity into positive channels rather than criminal activity.
“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists,” Toomey concluded.
You might also like
- These are the best student laptops for learning, not hacking
- Back-to-school online safety checklist for parents
- Weaponized AI is making hackers faster, more aggressive, and more successful
English (US) ·