From mischief to malware: ICO warns schools about student hackers

Curiosity killed the cat and in today's classrooms it seems it is also crashing the school server, pinching teachers' passwords, and rewriting the lunch menu for a laugh.

Recent data released by the UK's Information Commissioner's Office (ICO), highlights that the same curiosity for technology that can lead a young person into a career in cybersecurity can also lead them into trouble.

According to the ICO, school pupils should be considered an "insider threat" by schools, with 57% of data breach reports from within the education sector being blamed on students.

In a sobering analysis of 215 data breach reports between January 2022 and August 2024, the ICO determined that nearly a third (30%) of all insider attacks in the education sector involved stolen or guessed passwords, with 97% of those breaches committed by students.

In other words, although external hackers remain a real threat, student-lead cybersecurity incidents are common.

Looking in more detail at the 215 reports, the ICO found the following: 

• 23% were caused by weak data protection practices, such as staff accessing data without a legitimate need, devices left unattended, or pupils permitted to use staff devices.
• 20% involved staff sending data to their personal devices - perhaps thinking it would be more convenient to work on their own PC at home - but without considering if that was permitted or if adequate security was in place.
• 17% of incidents resulted from misconfigured access rights, such as SharePoint being incorrectly configured to be too permissive.
• 5% involved insiders (whether students or staff) deliberately bypassing security or network controls.

The ICO shared examples of breaches caused by students, which included three Year 11 students accessing their secondary school's information management system that held the personal data of more than 1400 students.  When questioned, the students explained that in an attempt to test their skills they downloaded from the internet tools that would crack passwords, and that two of them were even members of an online hacking forum.

In another example, the ICO described how a student broke into his college's information management system using a staff login, and then exploited his access to meddle with the personal data of more than 9000 staff, students, and applicants.

A recent warning by the UK's National Crime Agency (NCA) underlined that it was not just teenagers who posed a cybersecurity threat, with the startling revelation that one in five children aged 10-16 have engaged in illegal activity online, with the youngest person referred to the NCA's Cyber Choices programme being a mere seven years old.

Cyber Choices is an initiative that targets young people to educate them about the legal and ethical use of technology and online skills.  The programme aims to reduce cybercrime by raising awareness of the consequences of illegal behaviour online, and promoting the opportunities in the legitimate cybersecurity industry instead.

The challenge for those protecting the education sector, of course, is significant.  Not only are schools and educational establishments typically underfunded and poorly resourced, but they also have a stream of hundreds or thousands of young people coming through their doors each day who may have many of the skills needed to hack a system, but a lack of maturity when it comes to cyber ethics.

Clearly all schools could benefit from ensuring that they have strong password hygiene in place, multi-factor authentication (MFA) enabled wherever possible, and ensure that login credentials are not shared or reused inappropriately.

Furthermore, access control should be tightened so staff members and pupils only have the permission to access the data that they actually need, especially if systems contain sensitive personal information.  In addition, pupils should not be allowed to use staff devices, shared devices should be managed and secured, and logged-in devices should not be left unattended.

Finally, how about some better parental engagement?  Parents should be talking to their children about what is and what is not acceptable online, encouraging those with an interest in cybersecurity and hacking that there are legitimate career avenues for them, and ensuring that they know when behaviour crosses the line.

It is clear that schools are far from immune to insider threats, and can in fact be hotspots of inappropriate or illegal online behaviour.  Whether it is through curiosity, mischief, or malicious intent, students are often the cause.

Simply punishing those responsible is not the solution.  Better defences, better communication, and better guidance for youngsters is key.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.