A hot potato: New data about student hackers highlights a broader debate about how early exposure to hacking and digital tools can steer young people toward either professional cybersecurity careers or, in some cases, criminal activities. For schools, the message is clear: the classroom can be both a place of learning and an entry point for cyber attacks from within.
The UK's data watchdog has warned schools and colleges to take more seriously the growing problem of pupils hacking their own institutions' IT systems, after finding that children are responsible for the majority of insider cyber breaches in education.
The Information Commissioner's Office (ICO) stated that teachers were failing to recognize what it described as the "insider threat" posed by their own students. Its warning follows new figures showing that 57 percent of insider attacks and data breaches investigated by the regulator since 2022 originated with pupils. In total, the ICO has examined 215 incidents at schools, colleges and universities.
Heather Toomey, the ICO's principal cyber specialist, told the BBC that behavior initially seen as mischievous can escalate into more serious activity. "What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organizations or critical infrastructure," she said.
The warning comes against the backdrop of wider concerns around youth involvement in high-profile corporate hacks. Companies ranging from Jaguar Land Rover to Marks & Spencer and MGM Grand Casinos have all recently been targeted by teenage groups, some linked to English-speaking cyber gangs.
ICO data shows that nearly a third of recent incidents in schools involved students logging into teachers' systems by guessing passwords or stealing login information. In other cases, young people relied on hacking tools easily downloaded from the internet to break security protections.
One breach cited by the regulator saw three Year 11 pupils, aged 15 and 16, gain illegal access to databases holding the personal details of more than 1,400 students. The ICO said the teenagers had bypassed passwords and security controls and later claimed they were motivated by an interest in testing their cyber skills.
Another case saw a student access their college's database using stolen teacher credentials. The system contained personal information relating to more than 9,000 individuals, including staff, applicants and current students. Records in the database included addresses, school performance data, health information, safeguarding logs, and emergency contacts.
The ICO also pointed to one case concerning a seven-year-old involved in a school-related breach. That child was referred to the National Crime Agency's Cyber Choices programme, which educates young people about the consequences of cybercrime.
The warnings come as schools report an increase in cybersecurity incidents. According to the government's most recent Cyber Security Breaches Survey, 44 percent of schools experienced an attack or data breach in the past year. Experts note that breaches in educational settings sometimes originate from staff or third-party suppliers with access to systems; however, the new figures indicate that pupils are a dominant source of risk.
Over half of UK school hacks are carried out by their own students
really!? - IT systems in many places have the worst safe guards and even many businesses I've liaised with don't have adequate encryption to protect customer data or/and disaster recovery plans. If you implement the most basic of recommendations for security, encryption and disaster recovery you'll be way better off than someone who has nothing or even poorly implemented ones. Its cost effective too!
