Over half of all insider cyber attacks in UK schools are now being carried out by students, according to new findings from the Information Commissioner’s Office (ICO).
Alert
A new alert issued by the UK’s data protection regulator has highlighted a “worrying trend” in school cyber breaches, with children as young as seven found to be responsible for serious personal data breaches. The ICO’s analysis of 215 insider cyber incidents reported by education settings between January 2022 and August 2024 found that 57 per cent were caused by students, often exploiting weak security practices and misconfigured systems to gain access.
What’s Happening?
The new findings focus on what the ICO terms the “insider threat”, i.e. a cyber security breach originating from someone inside an organisation, rather than from external attackers. According to the ICO, it seems that in schools and colleges, that threat increasingly means the students themselves.
Logging In Rather Than Hacking In
While traditional hacking is often associated with remote cyber criminals, many of the breaches reported to the ICO involved students who were already inside the school network, whether physically or via a shared device. In most cases, these students didn’t need to ‘hack in’. Instead, they simply logged in using staff credentials they had guessed, found written down, or seen used in shared spaces. For example, the ICO’s investigation found that 30 per cent of the insider breaches involved students using stolen or guessed login details. Of those, 97 per cent were directly attributed to students.
Examples
Examples released by the ICO include Year 11 pupils using freely available hacking tools to access a secondary school’s student records database. In another case, a college student used a staff login to view, amend, or delete personal data belonging to more than 9,000 individuals, including students, applicants and staff. The data accessed included names, home addresses, school records, health data, safeguarding notes and emergency contact details.
Who And Why?
According to the National Crime Agency (NCA), around 1 in 5 children aged 10 to 16 have engaged in some form of illegal online activity. Many young people involved in school-based cyber breaches are tech-savvy teenagers, often motivated by curiosity, dares, rivalry or a desire to test their skills.
Heather Toomey, Principal Cyber Specialist at the ICO, warned: “What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.”
The ICO’s own report found that a number of student attackers were already members of online hacking forums, with some describing their interest in IT or cyber security as a motivation.
There are also concerns that peer pressure and notoriety may be playing a role. Also, with hacking tools readily available online and a growing culture of ‘cyber experimentation’ among teenagers, the barrier to entry has dropped significantly. In one shocking example, the youngest child referred to the NCA’s Cyber Choices programme (a diversion scheme for young people at risk of cyber crime) was just seven years old!
How Poor Cyber Practices Are Making Things Worse
While students are behind a growing number of these attacks, the ICO says that weak school security practices are often to blame for giving them the opportunity. For example, of the incidents it analysed:
– 23 per cent were due to poor data protection practices, such as staff leaving devices unattended or students being allowed to use staff machines.
– 20 per cent were caused by staff sending data to personal devices.
– 17 per cent were the result of incorrect system access rights, such as misconfigured permissions on platforms like SharePoint.
– Only 5 per cent involved more technically advanced attacks aimed at bypassing security or network controls.
This appears to paint a picture of education settings where basic cyber hygiene is not being consistently enforced, and where curiosity-driven students often find it all too easy to gain access.
In many cases looked at by the ICO, passwords were left written down or reused across multiple systems (password sharing). Also, systems were often inadequately segregated, with students able to access staff portals or administrative databases. Another issue was devices being left unlocked or unattended, giving unauthorised users the chance to view or export sensitive data.
Real-World Impacts
Although students may have been doing this for fun, the fallout from such incidents can be really serious. For example, breaches involving children’s personal data may trigger safeguarding risks, parental complaints, and mandatory reporting to regulators like the ICO and Action Fraud. They can also cause disruption to school operations and damage trust in digital education tools.
A breach involving sensitive pastoral care records or health data could lead to emotional distress for pupils and families. Although the ICO has not confirmed whether any of the reported incidents have resulted in enforcement action, it has made it clear that schools need to raise their game security-wise.
More broadly, the findings raise concerns that early, unchecked behaviour at school could lay the groundwork for more serious criminal activity later on. For example, children who get away with low-level school hacking may be more likely to go on to commit cyber crime in adulthood. In recent years, UK-based teenagers have been arrested in connection with high-profile attacks on major organisations including TfL, M&S and MGM Casinos.
What Can Be Done?
The ICO is urging schools to recognise the insider threat as a real and growing risk, and to take a more proactive approach to cyber security. That includes tightening access controls, improving staff training, and removing unnecessary opportunities for student access to staff systems.
“It’s important that we understand the next generation’s interests and motivations in the online world,” said Heather Toomey. “Schools must act to reduce these risks and ensure children remain on the right side of the law.”
The regulator recommends that GDPR and cyber training be refreshed regularly, especially for staff who handle sensitive pupil data. Schools are also encouraged to report breaches to the ICO promptly so that they can receive tailored guidance and support.
For parents, the message is to talk regularly with children about what they do online and how their actions may have legal and ethical consequences. The NCA’s Cyber Choices programme provides online resources for parents, educators, and young people to help channel cyber skills in positive directions.
It’s also worth noting that Ofsted and the Department for Education have both included cyber security and digital safeguarding as part of broader school leadership responsibilities, particularly for academy trusts and local authority-maintained schools managing large datasets across multiple sites.
What Does This Mean For Your Business?
The scale of these incidents appears to show deeper vulnerabilities in how education settings are managing access, accountability and digital safety. For example, although students may be the ones exploiting the gaps, it seems that the failures often begin with poor digital discipline among staff, misconfigured systems, and weak enforcement of policies that should be basic practice by now. This is, therefore, not just a safeguarding issue but a clear organisational risk, one that could just as easily apply to businesses that underestimate their own internal threat landscape.
For UK companies, especially those working with younger audiences or educational institutions, there’s a broader lesson here. If school systems with limited budgets and complex user bases are proving this easy to exploit, similar risks may be lurking within corporate networks where insider access is also widespread and often poorly monitored. With teenagers already engaging in low-level attacks on schools, and some progressing to more serious breaches in the private sector, early prevention and education have to be part of a wider national cyber strategy.
The ICO’s focus on education, awareness and remediation (rather than punishment) is also notable here. It suggests a recognition that many of these cases are not driven by malice, but by gaps in understanding, supervision and technical control. That said, the legal and reputational consequences of these breaches remain significant, and the longer schools delay action, the harder it will be to rebuild trust.
This appears to be an issue in which everyone has a role to play for prevention. For example, for schools, this means reviewing device access, credential management, and staff training as a matter of urgency. For parents, it means having clearer conversations with children about digital responsibility. Also, for policymakers and industry, it means recognising that today’s teenage hobbyist could become tomorrow’s insider threat, unless there are effective interventions, better systems and stronger support in place to redirect those skills.
