The UK’s data watchdog has raised the alarm over a rise in students hacking into their own schools’ IT systems—sometimes as a dare, sometimes just for fun.
The Information Commissioner’s Office (ICO) says too many teachers are overlooking what it calls the “insider threat”—pupils themselves. According to new data, more than half of cyber incidents inside schools and colleges are carried out by students with access to internal systems.
Heather Toomey, Principal Cyber Specialist at the ICO, warned:
“What starts as a dare or a bit of fun can spiral into damaging cyber attacks against organisations or even critical infrastructure.”
Since 2022, the ICO has investigated 215 education-related hacks and breaches, with 57% traced back to children. The rest typically involve staff, contractors, or third-party IT suppliers.
Some of the cases are shocking. One seven-year-old was caught in a breach and referred to the National Crime Agency’s Cyber Choices programme to understand the consequences. In another incident, three Year 11 students used freely available hacking tools to break into school databases, accessing personal records for more than 1,400 pupils.
Another case saw a college student log in using stolen teacher credentials to tamper with data belonging to over 9,000 staff, students, and applicants. That database included addresses, health information, and safeguarding records.
This trend isn’t happening in isolation. Government figures show 44% of schools reported a cyber attack or breach in the past year. Beyond education, teenagers in the UK and US have been linked to high-profile hacks against companies like Jaguar Land Rover, M&S, Co-op, MGM Resorts, and Transport for London.
The ICO’s message is clear: schools must take insider threats seriously and help young people understand the risks. For some, curiosity about cybersecurity could be a pathway into a career—but without proper guidance, it risks turning into cybercrime.
