Students behaving maliciously – often for fun – are increasingly the cause of cyberattacks hitting schools and colleges in the UK, according to new data from the Information Commissioner’s Office which today warned that perpetrators may be heading for a life of cybercrime.
The UK data protection regulator examined more than 200 internal data breach reports in the education sector between January 2022 and August 2024 and found that more than half, 57% overall, were caused by students, and almost a third, 30% of those said to have been caused by stolen login information, with students responsible for 97% of those.
The ICO warning comes amid a national conversation about teenage, English-speaking hackers involved in a prolific cybercrime collective, variously known as the Scattered Spider, Shinyhunters, Lapsus$ and sometimes all three. The gang has been linked to numerous incidents this year, including attacks on Marks & Spencer and, most recently, Jaguar Land Rover.
It also follows a recent report by the National Crime Agency which found that a fifth of 10- to 16-year-olds had engaged in illegal activities online, and 5% of 14-year-olds had engaged in outright hacking. In 2024, the seven-year-old was referred to its Cyber Choice Digital Crime Prevention Programme, according to the NCA.
“While educational settings are experiencing a high number of cyberattacks, there is still growing evidence that ‘insider threats’ are poorly understood, largely unregulated and can lead to further risks of harm and crime,” said Heather Toomey, ICO’s Chief Cyber Officer.
“What starts as a dare, a challenge, a bit of fun in a school environment can ultimately lead to children causing harm by attacking organizations or critical infrastructure.
“It’s important that we understand the interests and motivations of the next generation in the online world to ensure that children stay on the right side of the law and progress into rewarding careers in an industry that is constantly in need of professionals,” said Toomey.
There are many reasons why children and young people might be tempted to hack – some do it for the thrill of it, some for fame in their peer group, as a result of revenge or competition, and in some cases for financial gain.
In one incident reported to the ICO, three Year 11 pupils accessed a school information management system containing student data and downloaded tools from the internet specifically designed to crack passwords and security protocols. Two of the children involved were members of an online hacking forum and when questioned, all admitted to having an interest in cyber security and said they had wanted to test their skills and knowledge.
In another and rather more damaging case, a student accessed their college’s information management system and proceeded to view, modify or delete personal information about staff, students and course applicants. Some of the data contained in this system included names and addresses, academic records, health and safety data, pastoral logs and emergency contacts.
In the second case, a student stole and used a staff login to access the system, but a deeper analysis of 215 internal data breach reports revealed that about a quarter of the incidents occurred through poor data protection practices by faculty, including devices being left unattended or students being allowed to use staff devices.
Another fifth of the observed incidents were caused by employees sending data to personal devices, and about 17% were caused by technical failures, such as incorrect system settings or poor access management practices.
Only 5% of incidents were identified as insiders using “sophisticated methods” to bypass security and network controls, again emphasizing the importance of paying close attention to basic security measures.
Be part of the solution
The ICO today called on schools to be part of the fight against insider threats by taking steps to improve their overall security practices and to prevent the temptation to hack students.
Among other things, school leaders should be providing GDPR training and refresher courses to raise standards and raise awareness among staff of the need to do better, the ICO said. The regulator also reaffirmed the obligation to report incidents when they go wrong.
For parents and guardians, the ICO stressed the need to keep communication channels open with their offspring – difficult as it can be with teenagers – to regularly check in on their online activities and discuss the choices they make before what might feel like harmless fun escalates into crime.
Parents may also want to consider getting involved in the NCA-coordinated Cyber Choices Program, which contains resources to help families explore technology skills and understand the devastating consequences of engaging in cyberbullying.
