Children are making their mark on the UK’s cybersecurity scene, and not in the way their parents want them to. According to the country’s Information Commissioner’s Office (ICO), pupils in schools were behind more than half of personal data breaches.
In a warning to teachers and educational institutions, the ICO outlined its analysis of 215 data breach reports stemming from security incidents originating from schools, concluding that students were involved in 57% of hacks.
Almost a third of the breaches were possible because students guessed commonly used passwords, or simply found login information that had been recorded, according to the ICO.
The ICO said, however, that a small number of incidents (5%) required more sophisticated techniques to bypass security and network management. The regulator gave the example of how three Year 11 students hacked into a school’s student information system using tools to crack passwords and bypass security protocols; two of the students even admitted to being part of a hacking forum.
“Kids are hacking into their school’s computer systems – and it could set them up for a life of cybercrime,” the report reads.
The warning goes on to say that daring, fame, money, revenge, and rivalry are reasons why kids claim they hack into systems.
“What starts as a dare, a challenge, a bit of fun in a school environment can ultimately lead to children causing harm by launching attacks on organisations or critical infrastructure,” said Heather Toomey, ICO’s chief cyber officer, in a statement.
The report further showed how these breaches occurred: nearly a quarter of data breaches involved weak data protection practices, such as teachers allowing students to use their own devices; 20% of hacks were caused by employees using personal devices for work; and 17% of breaches occurred due to improper access controls on systems like Microsoft SharePoint.
Calling its findings “worrying,” the ICO urged schools to help address these issues by refreshing GDPR training, improving cybersecurity and data protection practices, and reporting breaches in a timely manner.
