The Information Commissioner’s Office (ICO) has issued a warning about a concerning rise in students illicitly accessing their educational institutions’ IT systems. These actions, the ICO reports, are often driven by amusement or peer challenges.
The ICO emphasizes a perceived lack of awareness among educators regarding the risks posed by students with internal access to school networks, describing it as an “insider threat.” Data collected by the ICO indicates that a significant portion of cyber incidents and data breaches in education are attributable to student actions.
Heather Toomey, Principal Cyber Specialist at the ICO, highlighted the potential for seemingly harmless activities to escalate. Toomey stated,
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.”
This statement underscores the ICO’s concern that youthful experimentation can evolve into more serious cyber offenses with broader implications.
This warning follows a series of high-profile cyberattacks on companies like Marks and Spencer (M&S) and Jaguar Land Rover. Investigations revealed the involvement of teenage hackers, raising concerns about the increasing prevalence of youth in cybercrime.
Student-led breaches in education
Since 2022, the ICO has investigated 215 incidents of unauthorized access and data breaches originating within educational institutions. Children were responsible for 57% of these incidents. The remaining breaches are suspected to have been perpetrated by staff, third-party IT service providers, and other entities with authorized system access.
Data indicates that almost one-third of the investigated breaches involved students gaining unauthorized access to staff computer systems. These breaches often occurred through methods like guessing passwords or illicitly obtaining login credentials from teachers, highlighting the relative simplicity of some exploited security vulnerabilities.
Case examples of student cybercrime
One case involved a seven-year-old child implicated in an undisclosed data breach. Following the incident, the child was referred to the National Crime Agency’s Cyber Choices program, which educates young people about the consequences and legal ramifications of cybercrime.
In a separate instance, three Year 11 students (aged 15-16) illegally accessed school databases containing personal information for over 1,400 fellow students. They used internet-downloaded hacking tools to bypass password protections, citing an interest in cybersecurity and a desire to explore technical capabilities.
Another incident involved a student gaining unauthorized access to a college’s databases using a teacher’s login credentials. This access was used to modify or delete personal information for over 9,000 staff, students, and applicants. Compromised data included names, home addresses, academic records, health information, safeguarding and pastoral logs, and emergency contact details.
Rising cyber threats to educational institutions
According to the government’s latest Cyber Security Breaches Survey, educational institutions face an increasing threat landscape. The survey revealed that 44% of schools reported experiencing a cyberattack or data breach within the past year, underscoring the sector’s growing vulnerability.
The ICO also highlighted the role of youth cybercrime culture, noting its increasing connection to English-speaking teen gangs. The past year has seen arrests in both the UK and the US of young individuals allegedly involved in hacking campaigns targeting major organizations, including MGM Grand Casinos, Transport for London (TfL), Marks and Spencer, and the Co-op.
