Many security experts, including those from major law enforcement agencies, agree that tracking external cyber threats can be somewhat manageable. However, detecting insider threats remains a far more challenging task, as these individuals often operate covertly and can cause more harm than those from outside the organization.
A recent study by the Information Commissioner’s Office (ICO) in the UK highlighted this issue, revealing that even within schools, the difficulty of identifying and addressing insider threats is growing. In particular, students—who often view hacking as a harmless challenge or a way to showcase their tech skills—are becoming more involved in cyberattacks.
Teenagers, especially those between the ages of 10 and 16, often pride themselves on being tech-savvy. Driven by motives such as revenge, rivalry, or financial gain, they use their skills to conduct cyberattacks, including data breaches at schools. These breaches typically target sensitive information like student names, home addresses, dates of birth, emergency contacts, pastoral logs, and health data. The National Crime Agency (NCA) and their Cyber Choices report have confirmed these troubling trends.
Heather Toomey, Principal Cyber Specialist at the ICO, shared that many students engage in these activities as part of a dare or simply for fun, trying to prove their tech skills to their peers. This behavior is not only an added burden for IT staff but also creates unnecessary chaos among both teaching and non-teaching staff, who are already under strain from ongoing threats like ransomware attacks from notorious hacking groups.
A study conducted by the ICO between January 2022 and August 2024 revealed concerning statistics: of the 215 security breaches recorded, almost 57% were caused by students. In contrast, 20% of breaches originated from staff, with the remaining breaches attributed to third-party vendors or technology providers with access to school systems.
One of the main factors fueling these attacks is the weak cybersecurity practices within schools. Teachers and staff often use easily guessable passwords or fail to adhere to basic cyber hygiene, making it easier for students to exploit vulnerabilities.
What’s even more alarming is that students are increasingly finding hacking tutorials and tools online, particularly on platforms like YouTube, which exposes them to the dangerous world of cybercrime.
In one particularly shocking case, the ICO discovered that a 7-year-old was responsible for a data breach at a school, though the institution’s name was kept confidential.
When students are caught, they are typically referred to the National Crime Agency’s Cyber Choices program, where law enforcement officers with cybersecurity expertise educate them about the serious consequences of their actions. In most cases, the students recognize the gravity of the situation and either stop their harmful activities or choose to explore legitimate career paths in cybersecurity, a field that offers promising opportunities, especially with the growing role of AI.
However, there are rare cases where repeat offenses occur. In such instances, the students may face more serious consequences, including mandatory counseling sessions with their parents, facilitated by local law enforcement.
Join our LinkedIn group Information Security Community!
