Over 50% of school ‘insider’ cyber attacks caused by students

The ICO analysed 215 personal data breach reports caused by insider attacks from the education sector between January 2022 and August 2024, finding that 57% of incidents were caused by students and 30% of them as a result of stolen login details, with students being responsible for 97% of these attacks.

The warning comes after the National Crime Agency reported one-in-five children aged between ten and 16 have been found to engage in illegal activity online. Shockingly, the youngest referral to the National Crime Agency’s Cyber Choices (a national programme helping people to use cyber skills in a legal way) was a seven-year-old child.

Teenage hackers are commonly English speaking males, with around 5% of 14-year-old boys and girls admitting to hacking. A number of reasons are cited as to why children become involved in hacking. These included dares, notoriety, financial gain, revenge and rivalries.   

Heather Toomey, principal cyber specialist at the ICO, said: “While education settings are experiencing large numbers of cyber attacks, there is still growing evidence to suggest that the ‘insider threat’ is poorly understood and largely unremedied. It can lead to the future risk of harm and criminality. What starts out as a dare, a challenge or a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.”

Toomey added: “It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector that’s in constant need of specialists.”

Schools and cyber incidents

Further analysis of the 215 education sector insider attack breach reports has revealed that: 

*23% of incidents were caused by poor data protection practices, including staff accessing or using data without a legitimate need, devices being left unattended and students being allowed to use staff devices 

*20% of incidents were caused by staff sending data to personal devices  

*17% of incidents were caused by the incorrect set-up of access rights to systems such as SharePoint  

*5% of incidents were identified as insiders using sophisticated techniques to bypass security and network controls

Three Year 11 students unlawfully accessed a secondary school’s information management system, which holds personal information of more than 1,400 students. When questioned, the students admitted being interested in IT and cyber security and suggested that they wanted to test their skills and knowledge.

The students used tools downloaded from the Internet to break passwords and security protocols, with two of the students admitting that they belong to an online hackers forum.

A student unlawfully accessed a college’s information management system then viewed, amended or deleted personal information belonging to more than 9,000 staff, students and applicants. The system stored personal information such as name and home address, school records, health data, safeguarding logs and emergency contacts. The college’s investigation found that the student used a staff login to access its systems. The college reported the incident to the police, to the ICO and also Action Fraud.

Part of the solution

The impact and severity of an insider attack can be far reaching. The ICO is calling on schools to be part of the solution by taking steps to improve their cyber security and data protection practices and remove temptation from students.  

Schools should regularly refresh General Data Protection Regulation training to raise standards and awareness of the need to protect access to school systems. When things go wrong, schools must report this to the ICO in order to ensure they receive support and advice.

*Further information is available online at www.ico.org.uk