The UK’s data protection watchdog says more than half of cyberattacks in schools are caused by students, and that parents should act early to prevent their offspring from falling into the wrong crowds.
The Information Commissioner’s Office (ICO) looked at 215 data breach cases at schools between January 2022 and August 2024, noting that 57 percent were caused by students, and almost a third (30 percent) were caused by stolen login details.
In the case of stolen logins – either by students seeing others input credentials and remembering, or simply reading them noted down on paper – pupils were behind 97 percent of these attacks.
While only 5 percent of cases were caused by sophisticated means, such as techniques to bypass security controls, the ICO echoed the National Crime Agency’s (NCA) persistent parental campaigns, encouraging parents to take action if they suspect their child may pursue a life of cybercrime.
“Whilst education settings are experiencing large numbers of cyberattacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied, and can lead to future risk of harm and criminality,” said Heather Toomey, principal cyber specialist at the ICO.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organizations or critical infrastructure.
“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.”
As well as parents’ duties to prevent the next generation of cybercriminals from lurking on the dark web, the ICO called on schools to “remove temptation from students.”
School staff were also found to be significantly responsible for data breach cases, just as their pupils were, with one in five incidents caused by staff sending data to their own devices.
The ICO attributed nearly a quarter (23 percent) to poor data protection practices, led by staff, such as allowing students to use their devices, leaving their devices unattended, or accessing school data without proper cause.
The regulator called on schools to regularly refresh their GDPR training, and raise awareness about the importance of protecting school systems.
Tales from the 215
The ICO’s warning came loaded with anecdotes of real-world cases it was brought in to assess – examples of the 5 percent of sophisticated cases.
It said one attack involved three Year 11 scholars in the UK – aged 15 or 16 – who broke into their school’s information management system (IMS), which held data on more than 1,400 school children.
All three said they were interested in cybersecurity, having been caught downloading intrusion tools from the web to crack passwords and bypass security mechanisms.
When questioned, two of them later said they were regular users of cybercrime forums.
Another example saw a lone college student using a staff login to access their institution’s IMS, which held data pertaining to more than 9,000 people. The student went on to access, amend, and manipulate that data, and the college consequently reported them to the police.
The ICO also cited a few scenarios that have previously been offered by the NCA – common situations for parents with which to become acquainted, so they can watch out for the most frequent early signs of cybercriminal ambitions.
If parents spot their child watching their friend enter credentials, remember them, and later use them to access a computer that’s not theirs, this is a type of activity that could evolve into more serious offences.
Likewise, if a child is caught buying video game credits using a friend’s account logged into a device without a password, that too should be seen as a sign that intervention is required.
Finally, and perhaps most obviously, if parents catch their child downloading credential-cracking software, then it’s time to get involved.
The issue at hand
As the primary crime-fighting force for the matter in the UK, many of the cases of serious or juvenile cybercrime are referred to the NCA, which said that one in five 10 to 16-year-olds in the UK have engaged in some kind of illegal online activity.
It also coordinates the UK-wide Cyber Choices initiative, which aims to raise awareness of what cybercrime is, and promote legal alternatives to those who are interested in the field.
The youngest referral to Cyber Choices was just seven years old last year.
While any child can engage in cybercrime, according to the ICO, cases involving teenagers tend to involve English-speaking males.
Case in point: the most high-profile cyberattacks in the UK this year have almost exclusively been attributed to Scattered Spider, which recently said it joined forces with Lapsus$ and Shiny Hunters to team up on attacks, before announcing a disbandment on Thursday.
Crucially, according to people familiar with the matter, all three groups are primarily composed of British males.
The NCA secured four arrests in July of teenagers and young adults suspected of carrying out the cyberattacks on M&S, Co-op, and Harrods – three were males, and one was a woman aged 20.
Officers did not formally say these four were members of Scattered Spider. All four were bailed without charge, pending further investigation. ®