11 Sep 2025
Children are hacking into their schools’ computer systems – and it may set them up for a life of cyber crime. That’s the warning from the Information Commissioner’s Office (ICO), which has spotted a worrying pattern behind the culprits responsible for school personal data breach reports that relate to insider attacks.
The regulator analysed 215 personal data breach reports caused by insider attacks from the education sector between January 2022 and August 2024, finding:
The warning comes after the National Crime Agency (NCA) reported one in five children aged 10 to 16 have been found to engage in illegal activity online. Shockingly last year, the youngest referral to the NCA’s Cyber Choices – a national programme helping people use cyber skills in a legal way – was a seven-year-old child.
Teen hackers are commonly English speaking males and around 5% of 14-year-old boys and girls admit to hacking. A number of reasons are cited as to why children hack including dares, notoriety, financial gain, revenge and rivalries.
Heather Toomey, Principal Cyber Specialist at the ICO, said: “Whilst education settings are experiencing large numbers of cyber attacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.
“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.”
Schools and cyber incidents
Further analysis of the 215 education sector insider attack breach reports revealed:
Examples of personal data breaches caused by students
Three Year 11 students unlawfully accessed a secondary school’s information management system, which holds personal information of more than 1,400 students. When questioned, the students admitted being interested in IT and cyber security, and that they wanted to test their skills and knowledge. The students used tools downloaded from the internet to break passwords and security protocols, with two of the students admitting that they belong to an online hackers forum.
A student unlawfully accessed a college’s information management system, then viewed, amended or deleted personal information belonging to more than 9,000 staff, students and applicants. The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs and emergency contacts. The college’s investigation found the student used a staff login to access its systems. The college reported the incident to the police, the ICO and Action Fraud.
Schools are part of the solution
The impact and severity of an insider attack can be far reaching. The ICO is calling on schools to be part of the solution by taking steps to improve their cyber security and data protection practices and remove temptation from students.
Schools should regularly refresh GDPR training to raise standards and awareness of the need to protect access to school systems. And when things go wrong, schools must report to the ICO to ensure they receive support and advice. More information can be found on the ICO’s security guidance and on the National Cyber Security Centre’s advice for schools.
Advice for parents
The ICO continues to encourage parents to have regular conversations with their children about what they get up to online and discuss the choices they are making.
What can be perceived as a bit of fun by a young mind could turn into illegal and harmful activity with far reaching consequences. Examples from the NCA include:
The NCA’s Cyber Choices programme provides resources to help parents and young people explore tech skills but also understand the consequences of becoming involved in cyber crime.
ICO Press Office
Information Commissioner's Office
pressoffice@ico.org.uk
The Information Commissioner’s Office (ICO) is the UK’s independent regulator that exists to empower people through their information rights. The ICO regulates the whole economy, including government and the public sector.
To address the issues highlighted in this release, the ICO is also working with a number of third parties and has:
Created data sharing agreements and Memorandum of Understandings with the NCA, Risk Protection Arrangement, Cyber Choices and Joint Information Security Council, so that intelligence and best practices are shared among organisations to better tackle this issue.
Engaged with a number of organisations including the Local Government Association, National Education Network, the Department for Education, City of London Police, Metropolitan Police and Police Cyber Resilience Centres.
The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.