The UK’s Information Commissioner’s Office (ICO) has revealed a concerning trend: students are responsible for more than half of reported personal data breaches in schools.

In its analysis of 215 security incidents originating within schools, the ICO found that 57% were carried out by students. Many of these breaches were alarmingly simple—students often gained access by guessing weak, commonly used passwords or by finding login credentials left written down.

When Curiosity Crosses the Line

While most cases involved basic methods, the ICO noted that around 5% of the incidents required more advanced techniques, such as password-cracking tools and security bypass methods. In one notable case, three Year 11 students successfully hacked into a school’s student information system; two later admitted to participating in an online hacking forum.

According to the ICO, the motivations behind these attacks vary—from dares and peer recognition to revenge, rivalry, or even financial gain. As Heather Toomey, Principal Cyber Specialist at the ICO, warned:

“What starts out as a dare, a challenge, or a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organizations or critical infrastructure.”

Weak Practices Amplify the Risk

The report highlighted several contributing factors beyond student behavior:

• 24% of breaches exploited weak practices, such as teachers allowing students to use their devices.
• 20% of breaches stemmed from staff using personal devices for school-related tasks.
• 17% of breaches were linked to poor access controls on systems like Microsoft SharePoint.

Strengthening the Frontline in Education

Labeling its findings as “worrying,” the ICO has urged schools to take immediate action by:

• Refreshing GDPR and data protection training for staff.
• Implementing stronger cybersecurity and access control measures.
• Reporting breaches promptly to minimize risk and liability.

Why It Matters

These incidents illustrate a critical gap in cybersecurity awareness and enforcement within the education sector. Schools, often seen as low-risk environments, are proving to be fertile ground for budding hackers. Without proactive measures, today’s classroom “dares” could become tomorrow’s cybercrime careers.

For organizations beyond education, the message is equally clear: weak practices, poor access control, and human error remain the biggest entry points for attackers—whether insiders or external threats.

Source: https://techcrunch.com/2025/09/11/kids-in-the-uk-are-hacking-their-own-schools-for-dares-and-notoriety