The Information Commissioner’s Office (ICO) has issued a warning about what it calls the “worrying trend” of students hacking their own school and college IT systems for fun or as part of dares.
It has told teachers that they are failing to understand and recognise what it calls the “insider threat” pupils pose.
It says more the majority of so-called “insider” cyber attacks and data breaches in education settings – meaning they have been carried out by someone with access to internal systems – originate with students.
“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure,” said Heather Toomey, Principal Cyber Specialist at the ICO.
It comes amid a spate of high profile cyber-attacks, affecting firms including M&S and Jaguar Land Rover, in which teenage hackers have been implicated.
Since 2022, the ICO has investigated 215 hacks and breaches originating from inside education settings and says 57% were carried out by children.
Other breaches are thought to come from staff, third party IT suppliers and other organisations with access.
According to the new data, almost a third of the breaches involved students illegally logging into staff computer systems by guessing passwords or stealing details from teachers.
In one incident, a seven-year-old was involved in a data breach and subsequently referred to the National Crime Agency’s Cyber Choices programme to help them understand the seriousness of their actions.
The ICO did not give details on the nature of that breach.
In another incident three Year 11 students aged 15 or 16 unlawfully accessed school databases containing the personal information of more than 1,400 students.
The pupils used hacking tools downloaded from the internet to break passwords and security protocols.
When questioned, they said they were interested in cyber security and wanted to test their skills and knowledge.
Another example the ICO gave is of a student illegally logging into their college’s databases with a teachers’ details to change or delete personal information belonging to more than 9,000 staff, students and applicants.
The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs and emergency contacts.
Schools are facing an increasing number of cyber attacks, with 44% of schools reporting an attack or breach in the last year according the government’s most recent Cyber Security Breaches Survey.
Youth cyber crime culture is a growing threat with linked to English-speaking teen gangs.
Young or teenage alleged hackers have been arrested in the UK and the US in the last year for hacking campaigns against major companies including MGM Grand Casinos, TfL, Marks and Spencer and Co-op.
Source: BBC
