Pupils hacking their own schools for fun, watchdog warns

It said that while these attacks may begin as “a bit of fun” in school, they can cause real damage and warns that this could have consequences for young people, setting them up for “a life of cyber crime”.

The ICO analysed 215 personal data breach reports caused by insider attacks in the education sector between January 2022 and 2024.

It found that 57 per cent of incidents were caused by students and almost a third of insider attacks were caused by students guessing weak passwords or finding them jotted down on bits of paper.

The ICO said this meant teen hackers “are not breaking in, they are logging in”.

Heather Toomey, principal cyber specialist, said: “Whilst education settings are experiencing large numbers of cyber attacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality.

“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.

“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.”

Schools are facing an increasing number of cyber attacks. According the government's Cyber Security Breaches Survey, 60 per cent of secondary schools and 44 per cent of primary schools identified breaches or attacks.

An example given by the ICO detailed how three Year 11 students accessed a secondary school’s information management system, which holds personal information of more than 1,400 students.

The students said they wanted to “test their skills and knowledge” and used tools downloaded to break passwords and security protocols.

Another case saw a student using a staff login to access a a college’s information management system. The system stored personal information belonging to more than 9,000 staff, students and applicants such as name and home address, school records, health data, safeguarding and pastoral logs and emergency contacts.

Further analysis of the 215 incidents found that 23 per cent of the incidents were caused by poor data protection practices such as devices being left unattended, students being allowed to use staff devices or staff accessing or using data without a legitimate need.

20 per cent of incidents were caused by staff sending data to personal devices and 17 per cent were caused by incorrect set up or access rights to systems such as SharePoint.

Only 5 per cent of incidents were identified as insiders using sophisticated techniques to bypass security and network controls.