Over half of insider cyber incidents in UK schools are being caused by students—a trend raising alarms across education, regulation, and cybersecurity communities. The Information Commissioner’s Office (ICO), Britain’s data protection regulator, has uncovered a pattern of misuse of login credentials, weak password practices and misconfigured systems, in the last two years.
According to the ICO’s analysis of 215 personal data breach reports in the education sector, 57% of these insider incidents trace back to students. Among the largest subset, 30% involved stolen login credentials—and in nearly all of those (97%), students were responsible.
“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law,” said Heather Toomey, Principal Cyber Specialist at the ICO. She added that what begins as a dare or curiosity can slide into damaging attacks—extending potential harm beyond school systems into critical infrastructure.
Case Studies Show Systemic Weaknesses
Among the breaches reviewed, the regulator cited several high-impact examples. At one secondary school, Year 11 pupils accessed a management system containing data on 1,400 students after using online tools to crack staff passwords. At a college, a student exploited a staff login to view, alter, and delete records belonging to more than 9,000 people, including addresses, health records, and emergency contacts.
Both cases illustrate what the ICO describes as a “perfect storm” of weak password hygiene, poor separation of duties, and insufficient monitoring of unusual access.
Why Students are Hacking
While the ICO focused on the data protection risks, experts say the psychology behind youth hacking is becoming just as important to understand. Many teenagers begin exploring networks not with criminal intent but with curiosity, peer pressure, or the thrill of solving technical puzzles.
Young people often see breaking into a system as a badge of honour, a way to impress peers or gain status in online forums. Some are drawn to the challenge itself, treating hacking like a game. But with easy access to hacker tools and communities, what begins as experimentation can escalate into credential theft or data tampering.
The UK’s National Crime Agency has made similar observations, noting that recognition in online spaces is often a stronger motivator than financial gain.
Also read: Exploiting Digital Playground: Why Are More Kids Becoming Hackers, Turning to Cybercrime?
The ICO observed that many young people aren’t setting out to cause harm but don’t fully grasp the downstream consequences of their actions.
Other contributing factors for this problem is schools allowing students access to staff devices, unattended terminals, overly permissive user permissions, or students using accounts belonging to staff members. In some cases, system architecture flaws (misconfigured permissions, shared user credentials, or lack of separation between student and staff accounts) create the technical pathways for misuse.
A Growing Risk for Schools
The ICO’s findings land at a time when UK schools are already stretched by ransomware campaigns and phishing attacks targeting staff. Unlike external threat actors, student insiders have natural access to school systems, often compounded by weak identity management.
Common technical issues flagged in the report include:
-
Weak or reused passwords across staff and student accounts.
-
Shared or inherited logins, giving students staff-level access.
-
Poorly configured access rights on platforms like SharePoint and learning management systems.
-
Lack of monitoring for suspicious activity, such as out-of-hours logins or mass downloads.
Insider-driven breaches in education don’t just risk exposing grades or timetables. In many cases, sensitive safeguarding data, health information, and emergency contacts are at stake—details that, if compromised, create serious privacy and safety issues.
Data Protection and Cultural Impact
For regulators, the breaches pose a clear compliance issue under the UK GDPR and Data Protection Act. But the cultural dimension is also drawing attention. If students see hacking school systems as harmless fun, experts warn it may normalize riskier behaviours later on.
“Young people who start with curiosity may not realize the long-term consequences,” said Daksh Nakra, Senior Manager – Research and Intelligence at Cyble, who is familiar with education breaches. “The jump from playing with admin rights in a school system to trying the same tactics against real businesses isn’t as big as people think.”
The ICO stressed that while not all student activity carries malicious intent, the impact is the same when personal data is exposed.
Regulator’s Suggestions
The ICO urged schools to strengthen access management, enforce stronger credential hygiene, and ensure breaches are reported consistently. The watchdog also called for better education around the ethical boundaries of technology use. Conflict International.
Children and young people need to understand the seriousness of misusing school systems, the ICO said, adding that prevention requires both technical controls and cultural change.
Industry experts argue that schools should treat insider threats with the same priority as external ransomware campaigns—deploying multi-factor authentication, conducting regular audits of access rights and ensuring monitoring tools flag unusual behaviours.
A Storm Brewing
The ICO’s warning is the latest in a string of signals that youth involvement in cybercrime is rising across Europe. Earlier this year, the UK’s National Crime Agency warned of growing recruitment of teenagers by cybercriminal groups. A 17-year-old teenager was arrested in UK, late last year, following a major cyberattack on Transport for London (TfL), the agency responsible for the city’s transit systems. The motive was unclear but the ripple effect was felt for a few days in the form of delays in ticketing due to in-person vending.
In the Netherlands and Germany, police have reported similar concerns around students testing tools originally built for criminal hacking.
For schools, that means the insider threat is no longer a niche issue but a mainstream risk. As Nakra put it: “We need to stop seeing this as just kids messing about. With today’s tools, a 15-year-old can do damage on a scale once reserved for nation-states.”
