Cyberattacks against schools driven by a rise in student hackers, ICO warns

The U.K.’s Information Commissioner's Office (ICO) warned on Thursday that student hackers motivated by dares are driving an increasing number of cyberattacks and data breaches affecting schools.

It advised parents to “to have regular conversations with their children about what they get up to online” and warned that children hacking into their school’s computer systems may be setting themselves up for lives of cybercrime.

The privacy regulator said it identified “a worrying pattern” in the 215 insider threat breach reports from the education sector between January 2022 and August 2024, with 57% of incidents caused by students who were likely motivated by “dares, notoriety, financial gain, revenge and rivalries.”

The advisory comes as young, English-speaking cybercriminals have made headlines with their reported involvement in cyberattacks in recent years. In July, the National Crime Agency (NCA) arrested four individuals — three of them teenagers — on suspicion of involvement in a range of ransomware attacks targeting British retailers.

“Teen hackers are commonly English speaking males and around 5% of 14-year-old boys and girls admit to hacking,” the privacy watchdog stated.

Diverting children with an interest in technology away from criminality and into legal programs is a key aim of the NCA, which believes that one-in-five children in Britain aged 10 to 16 has engaged in illegal activity online. The NCA said the youngest referral it had made to its Cyber Choices program was just seven years old.

Some of the 215 breaches in the education sector were caused by what the ICO described as poor data protection practices, including staff accessing data without a legitimate need, by devices being left unattended or by students being allowed to use staff devices.

Just 5% of incidents involved insiders “using sophisticated techniques to bypass security and network controls” stated the regulator.

Cases shared by the ICO included three Year 11 students — roughly equivalent to the 10th grade — hacking their school's information management system using tools they'd downloaded from the internet.

“When questioned, the students admitted being interested in IT and cyber security, and that they wanted to test their skills and knowledge,” the regulator added, noting that two admitted they “belong to an online hackers forum.”

In another case that was reported to the police, a student “viewed, amended or deleted personal information belonging to more than 9,000 staff, students and applicants” to their college after using a staff login to access its systems, said the ICO.

“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure,” warned Heather Toomey, the ICO’s principal cyber specialist.

“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists,” she added.