Teen Hackers Responsible for Most UK School Cybersecurity Incidents, ICO Warns

Teenagers are now responsible for a surge in cyber incidents across schools in the United Kingdom, according to a report from the Information Commissioner’s Office (ICO).

ICO says students are behind more than half of all insider-led school data breaches that took place between 2022 and 2024. The good news is that it’s mostly just about curiosity, dares, and rivalries more than anything else.

Students lead breaches

ICO took a closer look at 215 school data breach reports and discovered that students caused 57% of the incidents. In a third of the cases, children simply guessed weak passwords or used login credentials that other people wrote down. In fact, students accounted for 97% of breaches that involved stolen login credentials.

“Children are hacking into their schools’ computer systems – and it may set them up for a life of cyber crime,” the ICO has stated in a press release.

On the other hand, about 5% of the attackers relied on advanced tools and methods to crack passwords or bypass security.

Why kids hack

Students openly admit that they hack for dares, notoriety, financial gain, revenge, or rivalry.

“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure,” said Heather Toomey, Principal Cyber Specialist at the ICO.

Real-world breaches

The ICO detailed a few examples:

• Three Year 11 students hacked a school information system that had private data on more than 1,400 students. They used some online tools found on hacking forums to break passwords and bypass security measures.
• In another situation, a student broke into a college information system that held information on 9,000 staff members, students, and applicants. The attacker used the access to view, alter and delete personal information.

Weak security practices in schools

The report also revealed that staff mistakes were responsible for many breaches.

• Staff caused 23% of incidents by leaving devices unlocked, allowing students to use them, or accessing data without the right to do so.
• Staff also caused 20% of incidents by sending information to personal devices.
• Administrators enabled 17% of breaches by failing to configure access rights properly in platforms like SharePoint.

ICO labeled these findings “worrying” and urged schools to act immediately. The regulator told schools to refresh GDPR training, tighten access controls, and report breaches quickly.