Kids hacking for kicks are causing security headaches at schools
ICO analysis of education sector breaches found schools and colleges are being careless – and pupils are taking advantage
The biggest cybersecurity risk faced by schools comes from the pupils themselves, according to new research from the Information Commissioner’s Office (ICO).
In what it described as a 'worrying trend', more than half of cyber incidents at schools were caused by students. More than a third of incidents involved pupils guessing weak passwords or finding them jotted down on bits of paper.
These teen hackers are most commonly English-speaking males, although around 5% of all 14-year-old boys and girls admit to ‘hacking’ in some capacity. The reasons given include dares, notoriety, financial gain, revenge, and rivalries.
Heather Toomey, principle cyber specialist at the watchdog, warned the trend has the potential to snowball into more nefarious activities.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organizations or critical infrastructure."
Nearly a quarter (23%) of incidents were caused by poor data protection practices, including staff accessing or using data without a legitimate need, devices being left unattended, or students being allowed to use staff devices.
One-in-five were caused by staff sending data to personal devices, and 17% by incorrect set up or access rights to systems such as SharePoint.
Students are playing with fire
One-in-twenty incidents, however, came from insiders using sophisticated techniques to bypass security and network controls.
In one example, a student accessed a college’s information management system via a staff login, then viewed, amended, or deleted personal information belonging to more than 9,000 staff, students, and applicants.
The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs, as well as emergency contacts.
In another, three Year 11 students unlawfully accessed a secondary school’s information management system, which held personal information belonging to more than 1,400 students. When they were caught, they said they'd just been trying to test their cybersecurity skills and knowledge.
Pete Luban, field CISO at AttackIQ, said the ICO research shows the education sector needs to strengthen its cybersecurity practices.
"There are a couple of takeaways from this news. The most important is that educational institutions must do a better job of protecting sensitive information," he said.
"Proper cyber hygiene protocols, such as strengthening passwords and removing student access to them, would solve a large portion of the problems,” he said.
"For the smaller portion of incidents that required more advanced technical skills, schools need to evaluate their cyber defense systems and implement proactive measures that are able to close the gaps that students were exploiting," Luban added.
Luban said it’s critical for schools to make it clear to pupils that hacking isn't just a prank, and that there can be significant consequences.
"Reinforcing data protection principles and individual data rights not only makes students aware of the potential punishments for conducting cyberattacks, but also decreases the chances that they themselves are breached as a result of cyber malpractice,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Hackers breached a 158 year old company by guessing an employee password
- How is AI being used in education?
- The Scattered Spider ransomware group is infiltrating Slack and Microsoft Teams to target vulnerable employees
-
What is Microsoft Maia?Explainer Microsoft's in-house chip is planned to a core aspect of Microsoft Copilot and future Azure AI offerings
-
If Satya Nadella wants us to take AI seriously, let’s forget about mass adoption and start with a return on investment for those already using itOpinion If Satya Nadella wants us to take AI seriously, let's start with ROI for businesses
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struckNews A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
