Study: Half of School Hacks Are Committed by Students
New data on “student hackers” sheds light on a broader debate about how early exposure to hacking and digital tools can steer young people toward careers in cybersecurity—or, in some cases, into criminal activities. For schools, the message is clear: the classroom can be both a place of learning and an entry point for insider cyberattacks.
The UK’s data protection authority has warned schools and colleges to take the growing problem of student-led hacking more seriously, after finding that pupils are responsible for the majority of internal IT breaches in the education sector.
The Information Commissioner’s Office (ICO) said teachers are failing to recognize what it called “the insider threat” posed by their own students. The warning followed new figures revealing that 57% of internal attacks and data breaches investigated by the ICO since 2022 originated from pupils. In total, the authority examined 215 incidents across schools, colleges, and universities.
Heather Tummy, the ICO’s lead cybersecurity specialist, told the BBC that behavior initially seen as a prank can quickly escalate into something more serious. She added, “What begins as a challenge or playful experiment in a school environment can end with children participating in destructive attacks targeting institutions or critical infrastructure.”
The warning comes amid broader concerns about youth involvement in high-profile cyberattacks on major companies. Firms such as Jaguar Land Rover, Marks & Spencer, and others have recently suffered breaches linked to teenage hacker groups associated with English-speaking cyber gangs.
Data from the Information Commissioner’s Office shows that nearly one-third of recent school incidents involved students accessing teacher systems by guessing or stealing login credentials. In other cases, teens used efficiently downloadable hacking tools to bypass security systems.
One breach cited by the ICO involved three Year 11 students, aged 15 and 16, who illegally hacked databases containing the personal details of more than 1,400 students. The ICO said the teens bypassed passwords and security measures, later claiming they were motivated to test their cybersecurity skills.
In another case, a student gained access to his college’s database using a teacher’s stolen login credentials. The system contained personal information on over 9,000 individuals, including staff, applicants, and current students. The records included addresses, academic performance data, health information, safeguarding records, and emergency contacts.
This kind of hacking is not entirely new—it has been happening since computers and networks were first introduced in schools. Even some of today’s most famous tech figures, such as Microsoft founder Bill Gates, have histories of hacking and system tinkering driven by curiosity and a desire to challenge.
Overall, the UK’s warning comes at a time when schools are reporting a rise in cyber incidents. According to the latest government Cyber Security Breaches Survey, 44% of UK schools experienced an attack or data breach over the past year. Experts note that while some of these incidents originate from staff or third-party service providers with system access, the new figures highlight that students themselves are a significant source of risk.
