Educators and parents are encouraged to act, as privacy regulator analyses hundreds of recent incidents and finds many examples of children using their tech skills and curiosity to damaging effect

The UK’s data-protection watchdog has warned of a growing trend of cyberattacks on schools being perpetrated by pupils.

The Information Commissioner’s Office recently analysed the details of 215 data breaches that took place across the education sector between January 2022 and August 2024 and were classified as “insider attacks”.

Almost three in five of these incidents – 128 breaches – were perpetrated by children attending the school or college. Students were, in particular, almost entirely responsible for the 30% of attacks that relied on stolen login details.

Incidents analysed by the data regulator included three year-11 students accessing their school’s databases because they were “interested in IT and cyber security and… wanted to test their skills and knowledge”. In another case – which was reported to the ICO and the police – a student used a staff login as part of a breach in which they “viewed, amended or deleted personal information belonging to more than 9,000 staff, students and applicants”.

Heather Toomey, principal cyber specialist at the ICO, said: “Whilst education settings are experiencing large numbers of cyberattacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality. What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure. It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.”

Related content

• DfE alerted to more than 50 school ransomware attacks in past three years
• DfE boosts security with £6m deal for ‘cyber specialists’
• ICO strategy focuses on impact of AI and biometrics

The ICO claimed that its assessment reinforces the findings of a recent survey from the National Crime Agency that revealed that a fifth of all children aged 10 to 16 have undertaken some form of illegal activity online. The NCA operates a Cyber Choices programme, which is intended to help young people develop technical skills “but also understand the consequences of becoming involved in cybercrime”. The youngest child referred to the scheme last year was seven years.

The ICO’s analysis of recent incidents concluded that common reasons for students to launch cyberattacks include “dares, notoriety, financial gain, revenge, and rivalries”.

Beyond the threat posed by students, the regulator also found that about a quarter of recent insider breaches in the education sector “were caused by poor data protection practices”, including 20% of incidents which stemmed from staff sending information to their personal devices or accounts.

The ICO urged schools “to be part of the solution by taking steps to improve their cybersecurity and data-protection practices and remove temptation from students”. Recommended measures include regularly updated GDPR training and prompt reporting of any incidents.

Parents also have a key role to play, according to the regulator, and should make sure to “have regular conversations with their children about what they get up to online and discuss the choices they are making”.