Students acting maliciously – often for fun – are increasingly the cause of cyber attacks affecting schools and colleges in the UK, according to new data from the Information Commissioner’s Office, which today warned that the culprits may be setting themselves up for a life of cyber crime.
Britain’s data protection regulator probed over 200 insider data breach reports in the education sector between January 2022 and August 2024, and found that over half, 57% in total, were caused by students, and almost a third, 30% all told, were caused by stolen login details, with students responsible for 97% of those.
The ICO’s warning comes amid a national conversation on the teenage, English-speaking hackers involved in the prolific cyber crime collective referred to variously as Scattered Spider, ShinyHunters, Lapsus$, and sometimes all three. This gang has been linked to a spate of incidents this year, including attacks on Marks & Spencer and, more recently, Jaguar Land Rover.
It also follows a recent National Crime Agency report that found a fifth of 10 to 16 year-olds had engaged in illegal activity online, and 5% of 14 year-olds had engaged in outright hacking. In 2024, according to the NCA, a seven year-old was referred to its Cyber Choices digital crime prevention programme.
“Whilst education settings are experiencing large numbers of cyber attacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality,” said Heather Toomey, principal cyber specialist at the ICO.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.
“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists,” said Toomey.
There are many reasons why children and young people might be tempted into hacking – some do it for dares, some for notoriety in their peer group, out of revenge or as a result of rivalries, and in a few cases for financial gain.
In one incident reported to the ICO, three Year 11 students accessed their school’s information management system containing pupil data, having downloaded tools from the internet specifically designed to break passwords and security protocols. Two of the children involved were members of an online hacking forum, and when questioned, all admitted to an interest in cyber security and said that they had wanted to test their skills and knowledge.
In a different and rather more damaging case, a student accessed their college’s information management system and proceeded to view, amend or delete personal information belonging to staff, students and course applicants. Some of the data contained in this system included names and addresses, academic records, health and safeguarding data, pastoral logs, and emergency contacts.
In the second instance, the student stole and used a staff login to access the system, but a deeper analysis of the 215 insider breach reports revealed that about a quarter of the incidents arose through poor data protection practices by teaching staff – including devices being left unattended or students being allowed to use staff devices.
A further fifth of the observed incidents were caused by staff sending data to personal devices, and about 17% were caused by technical failings, such as incorrect system setups or poor access management practice.
Only 5% of incidents were identified as insiders using “sophisticated techniques” to bypass security and network controls, once again highlighting the importance of paying close attention to basic security measures.
Be part of the solution
The ICO today called on schools to be part of the solution to insider threat by taking steps to improve their overall security practices, and remove the temptation to hack from students.
Among other things, school leadership should be conducting and refreshing GDPR training to raise standards and awareness among staff of the need to do better, said the ICO. The regulator also reaffirmed the obligation to report incidents when they go wrong.
For parents and guardians, the ICO highlighted the need to keep channels of communication open with their offspring – hard as this may be with teenagers – to have regular check-ins on their online activity and to discuss the choices they are making before what might feel like harmless fun escalates to criminality.
Parents may also wish to consider engaging with the NCA-coordinated Cyber Choices programme, which contains resources to help families explore tech skills, and understand the devastating consequences of becoming involved in cyber crime.
