“A dare, a challenge, a bit of fun:” Children are hacking their own schools’ systems, says study

As if ransomware wasn’t enough of a security problem for the sector, educational institutions also need to worry about their own students, a recent study shows.

Last week, the UK Information Commissioner’s Office (ICO) published a report about the “insider threat of students”. Here are a few key points:

• Over half of school insider cyberattacks were caused by students.
• Almost a third of insider attack incidents caused by students involved guessing weak passwords or finding them jotted down on bits of paper.
• Teen hackers are not breaking in, they are logging in.

The conclusion of the ICO is that:

“Children are hacking into their schools’ computer systems – and it may set them up for a life of cyber crime.”

The ICO examined a total of 215 personal data breach reports caused by insider attacks from the education sector between January 2022 and August 2024. They found that students were responsible for 57% of them, and that students covered 97% of the incidents that were caused by stolen login details.

The British National Crime Agency (NCA) reported about a survey of children aged 10-16 which showed that 20% engage in behaviors that violate the Computer Misuse Act, which criminalizes unauthorized access to computer systems and data. It adds a warning:

“The consequences of committing Computer Misuse Act offences are serious. In addition to being arrested and potentially given a criminal record, those caught can have their phone or computer taken away from them, risk expulsion from school, and face limits on their internet use, career opportunities and international travel.”

The reasons that children provided for hacking included dares, notoriety, financial gain, revenge and rivalries. Security experts also mention cases of students altering grades or using staff credentials.

While the ICO report highlights a troubling trend in the UK, US data shows it faces similar problems. A March 2025 Center for Internet Security survey found 82% of K-12 schools experienced a cyber incident between July 2023 and December 2024, and security analysts say students pose an inside threat to the education sector.

In one high-profile US prosecution, a 19-year-old faced charges in connection with the 2024 PowerSchool compromise that exposed millions of records, student and teacher data. In the end, that incident that led to extortion attempts against districts and caused major operational disruption.

While seemingly less harmless, the consequences of student hacking can be just as serious as something like a ransomware attack, ending up spilling the personal data from students and teachers.

As Heather Toomey, Principal Cyber Specialist at the ICO put it:

“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.”

Parents and schools need to warn children about the possible implications, no matter how innocent it may start. And more strict authorization of school staff and teachers could prevent a lot of these incidents, given that 30% of incidents were caused by stolen login details.

Protecting yourself or your children after a data breach

There are some actions you can take if you are, or suspect you or your children may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA****). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring****. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.