Some 57 per cent of cyber incidents at schools are caused by students hacking into their schools’ computer systems, according to a new study by the Information Commissioner's Office (ICO).

The non-departmental government body warned that these students could set themselves up for a life of cyber-crime.

The ICO analysed 215 personal data breach reports caused by insider attacks from the education sector between January 2022 and August 2024, finding that 30 per cent of incidents were caused by stolen login details, with students being responsible for 97 per cent of these attacks.

The warning from the ICO comes after the National Crime Agency (NCA) reported one in five children aged 10 to 16 have been found to engage in illegal activity online.

The youngest referral to the NCA’s Cyber Choices, a national programme helping people use cyber skills in a legal way, was a seven-year-old child.

The ICO said teen hackers are commonly English speaking males.

Around five per cent of 14-year-old boys and girls have admitted to hacking.

The study found a number of reasons as to why children hack, including dares, notoriety, financial gain, revenge  and rivalries.

23 per cent of incidents were caused by poor data protection practices, including staff accessing or using data without a legitimate need, devices being left unattended and students being allowed to use staff devices.

A fifth of incidents were caused by staff sending data to personal devices, while 17 per cent of incidents were caused by incorrect set up or access rights to systems such as SharePoint. 

Just five per cent of incidents were identified as insiders using sophisticated techniques to bypass security and network controls.

The ICO said that schools need to take steps to improve their cybersecurity and data protection practices and remove temptation from students.

It advised that schools should regularly refresh GDPR training to raise standards and awareness of the need to protect access to school systems.

Heather Toomey, principal cyber specialist at the ICO said that there is growing evidence that “insider threats” in educational settings are poorly understood and can lead to future risk of harm and criminality.

“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure,” she added. “It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.”

---