Pupils behind more than half of ‘insider’ school cyber attacks

Pupils are behind more than half of so-called “insider” cyber attacks on schools, analysis by the Information Commissioner’s Office (ICO) has found.

The ICO’s analysis of 215 data breaches caused by insider attacks in education settings between January 2022 and August 2024 found 57 per cent of incidents were caused by students.

Insider attacks are those caused by someone from within an organisation, like a pupil or member of staff, rather than an outside hacker.

A further 30 per cent of incidents were caused by stolen login details. The vast majority of these incidents were caused by students (97 per cent).

The watchdog has called on schools to be “part of the solution” by improving their cyber security and data protection practices, as well as taking steps to “remove temptation from students”.

‘Damaging attacks’

Of the 215 data breaches, the ICO found nearly a quarter (23 per cent) were caused by poor practices, like staff accessing or using data without a “legitimate need”, devices being left unattended or students being allowed to use staff devices.

A further 20 per cent of incidents were caused by staff sending data to personal devices.

According to the National Crime Agency, students may hack after being dared, seeking notoriety or revenge or for financial gain.

Teen hackers are commonly English-speaking males, and that around 5 per cent of 14-year-old boys and girls admitting to hacking.

Schools ‘part of the solution’

Heather Toomey, principal cyber specialist at the ICO said: “Whilst education settings are experiencing large numbers of cyber attacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality.

“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.”

“It’s important that we understand the next generation’s interests and motivations in the online world and to ensure children remain on the right side of the law.”

The ICO said schools should be “part of the solution” by regularly refreshing GDPR training and raise awareness of cyber security in schools.