Insider threat of students leading to increasing number of cyber attacks in schools

Children are hacking into their schools’ computer systems – and it may set them up for a life of cyber crime. That’s the warning from the Information Commissioner’s Office (ICO), which has spotted a worrying pattern behind the culprits responsible for school personal data breach reports that relate to insider attacks.

The regulator analysed 215 personal data breach reports caused by insider attacks from the education sector between January 2022 and August 2024, finding: 

• 57% of incidents were caused by students; and
• 30% of incidents were caused by stolen login details, with students being responsible for 97% of these attacks.

The warning comes after the National Crime Agency (NCA) reported one in five children aged 10 to 16 have been found to engage in illegal activity online. Shockingly last year, the youngest referral to the NCA’s Cyber Choices – a national programme helping people use cyber skills in a legal way – was a seven-year-old child.

Teen hackers are commonly English speaking males and around 5% of 14-year-old boys and girls admit to hacking. A number of reasons are cited as to why children hack including dares, notoriety, financial gain, revenge and rivalries.  

Heather Toomey, Principal Cyber Specialist at the ICO, said: “Whilst education settings are experiencing large numbers of cyber attacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality.

“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.

“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.”

Schools and cyber incidents

Further analysis of the 215 education sector insider attack breach reports revealed:

• 23% of incidents were caused by poor data protection practices, including:
  • Staff accessing or using data without a legitimate need
  • Devices being left unattended
  • Students being allowed to use staff devices
• 20% of incidents were caused by staff sending data to personal devices.
• 17% of incidents were caused by incorrect set up or access rights to systems such as SharePoint.
• 5% of incidents were identified as insiders using sophisticated techniques to bypass security and network controls.

Examples of personal data breaches caused by students

Three Year 11 students unlawfully accessed a secondary school’s information management system, which holds personal information of more than 1,400 students. When questioned, the students admitted being interested in IT and cyber security, and that they wanted to test their skills and knowledge. The students used tools downloaded from the internet to break passwords and security protocols, with two of the students admitting that they belong to an online hackers forum.

A student unlawfully accessed a college’s information management system, then viewed, amended or deleted personal information belonging to more than 9,000 staff, students and applicants. The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs and emergency contacts. The college’s investigation found the student used a staff login to access its systems. The college reported the incident to the police, the ICO and Action Fraud.

Schools are part of the solution

The impact and severity of an insider attack can be far reaching. The ICO is calling on schools to be part of the solution by taking steps to improve their cyber security and data protection practices and remove temptation from students.

Schools should regularly refresh GDPR training to raise standards and awareness of the need to protect access to school systems. And when things go wrong, schools must report to the ICO to ensure they receive support and advice. More information can be found on the ICO’s security guidance and on the National Cyber Security Centre’s advice for schools.

Advice for parents

The ICO continues to encourage parents to have regular conversations with their children about what they get up to online and discuss the choices they are making.

What can be perceived as a bit of fun by a young mind could turn into illegal and harmful activity with far reaching consequences. Examples from the NCA include:

• Adam watches his friend enter a username and password for a platform, he remembers them and without his friend’s permission later uses them to log in and read all of the messages.
• Raj picks up a friend’s tablet that is logged into a gaming account, he buys game credits with the saved credit card.
• Robin downloads software so he can bypass login credentials and hack into his friend’s laptop.

The NCA’s Cyber Choices programme provides resources to help parents and young people explore tech skills but also understand the consequences of becoming involved in cyber crime.