A new report from the Information Commissioner’s Office (ICO) has revealed that 57% of insider data breaches in UK schools are caused by students. The regulator analysed 215 incidents between January 2022 and August 2024 – and the findings definitely support that human error remains to be the main contributor to breaches.
Around 30% of breaches came from stolen login details, with students responsible for 97% of these attacks. Weak passwords and login details made it easier for students to gain access.
In one case, three Year 11 students (aged 15–16) hacked into a secondary school’s system holding data on more than 1,400 pupils. They used freely available tools from the internet to crack passwords and bypass controls.
Another case saw a student access a college’s system using stolen staff login details, giving them the ability to view, amend or delete information on more than 9,000 students, staff and applicants.
The ICO warned that children experimenting with hacking could be setting themselves up “for a life of cybercrime.” Many admitted they simply wanted to test their cyber skills, with some even part of online hacker forums.
The National Crime Agency (NCA) has reported that 1 in 5 children aged 10 to 16 has engaged in illegal online activity.
This is a double-edged sword- on one hand, not all hacking is bad, penetration testing and white hat hacking are very well-known and respected fields, but on the other, it’s important to make sure that’s the direction students head in.
The ICO is urging parents to have regular conversations with their children about online behaviour. Heather Toomey, Principal Cyber Specialist at the ICO, highlighted the need to help children develop their skills responsibly, steering them toward careers in cybersecurity rather than criminal activity.
Former white hat hacker Chris Wysopal echoed this, stressing that many of these pupils aren’t criminals, just curious. He argued that schools and the wider industry should do more to channel this curiosity into legitimate cyber careers – especially as the UK faces a growing demand for cybersecurity specialists.
While students are often involved in most incidents, the report also found that 23% of breaches were due to poor staff practices. This included accessing data without a legitimate reason, leaving devices unattended, or letting students use staff devices.
Other causes included:
The findings highlight a dual challenge: addressing student curiosity before it turns into criminal behaviour, and improving staff data practices to reduce avoidable risks. Schools, parents and the cybersecurity industry all have a part to play in steering the next generation toward positive outcomes.
We hope you’ve liked this blog. Stay tuned for more blogs like this. Stay safe!
