In a revelation that has sent ripples through the British education sector, the United Kingdom’s Information Commissioner’s Office (ICO) has warned that students themselves are behind a majority of cyber breaches within schools. According to a report released on September 11, 2025, and analyzed by the ICO, 57% of personal data breaches in educational institutions between January 2022 and August 2024 were caused by students. This startling statistic has prompted calls for urgent reforms in how schools approach cybersecurity and data protection.
The ICO’s analysis, which examined 215 personal data breach reports originating from inside schools, paints a picture that is both concerning and oddly relatable. Kids aren’t necessarily breaking into school systems with Hollywood-level hacking skills; more often, they’re simply logging in. Nearly a third of these breaches occurred because students either guessed commonly used, weak passwords or stumbled across login details carelessly written down. As the ICO put it, “teen hackers are not breaking in, they are logging in.”
But how does this happen so frequently? The answer, according to the ICO, lies in a combination of poor data protection practices and a lack of robust cybersecurity culture. About 23% of these incidents were linked to weak practices—such as teachers allowing students to use their devices, staff accessing data without legitimate need, or leaving devices unattended. Another 20% of breaches occurred when staff sent data to personal devices, and 17% resulted from incorrect access rights or improper setup of systems like Microsoft SharePoint. Only 5% of reported incidents involved students using more advanced or sophisticated hacking techniques to bypass security and network controls.
One particularly telling example cited by the ICO involved three Year 11 students who hacked into their school’s information management system, which contained personal information for more than 1,400 students. The students, who admitted to being interested in IT and cybersecurity, used tools freely available on the internet to break passwords and bypass security protocols. Two of them even acknowledged being part of an online hacking forum. Their motivation? According to the ICO, it was a mix of wanting to “test their skills and knowledge,” as well as the thrill of a dare or challenge.
Another case saw a student unlawfully accessing a college’s information management system using a staff login. This breach exposed the personal information of over 9,000 staff, students, and applicants—including sensitive data such as home addresses, health records, and emergency contacts. The incident was serious enough to be reported to the police, the ICO, and Action Fraud, underscoring the real-world consequences of what might start as a seemingly harmless prank.
Heather Toomey, principal cyber specialist at the ICO, emphasized the gravity of the situation: “Whilst education settings are experiencing large numbers of cyber attacks, there is still growing evidence that ‘insider threat’ is poorly understood, largely unremedied and can lead to future risk of harm and criminality.” She went on to warn, “What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure.”
The National Crime Agency (NCA) has also sounded the alarm, reporting that one in five children aged 10 to 16 have engaged in illegal online activity. In a particularly sobering example, the youngest referral to the NCA’s Cyber Choices program last year was just seven years old. The data also reveals that about 5% of 14-year-old boys and girls admit to hacking, with most teen hackers being English-speaking males.
The motivations behind these breaches are as varied as the students themselves. The ICO and NCA cite dares, notoriety, financial gain, revenge, and rivalries as common reasons children give for hacking into school systems. Sometimes, it’s simply about the challenge or the fun of seeing if it can be done. But as Toomey points out, “It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists.”
The scale of the problem is significant. According to the government’s Cyber Security Breaches Survey, 60% of secondary schools and 44% of primary schools have identified breaches or attacks. These incidents can have far-reaching consequences, exposing sensitive information and potentially setting young people on a path toward more serious cybercrime.
The ICO is calling on schools to be proactive in addressing these vulnerabilities. Recommendations include regularly refreshing GDPR training for staff, improving cybersecurity and data protection practices, and ensuring that breaches are reported promptly so that support and advice can be provided. The ICO has also established data sharing agreements and memoranda of understanding with organizations like the NCA, Risk Protection Arrangement, Cyber Choices, and the Joint Information Security Council to facilitate better intelligence sharing and coordinated responses to these threats. Engagement with local government, the Department for Education, and various police cyber resilience centers is also underway.
Parents, too, have a crucial role to play. The ICO urges them to have regular conversations with their children about online behavior and the potential consequences of hacking—even when it seems like harmless fun. The NCA’s Cyber Choices program offers resources to help parents and young people explore technology skills while understanding the legal and ethical boundaries. Everyday scenarios can quickly escalate: a child memorizes a friend’s password and logs in without permission, or uses a logged-in device to make unauthorized purchases. These actions, though seemingly minor, can have serious legal and personal ramifications.
The ICO’s report makes it clear that the insider threat posed by students is not just a technical issue, but a cultural one. It reflects gaps in digital literacy, supervision, and the broader understanding of cybersecurity among both staff and students. The regulator, empowered by the Data Protection Act 2018 and the UK General Data Protection Regulation, can take enforcement action against organizations and individuals who fail to uphold data protection standards. This includes criminal prosecution, non-criminal enforcement, and audits.
For schools, the message is simple but urgent: cybersecurity is no longer just an IT concern—it’s a fundamental part of safeguarding students and staff. For students, understanding the boundaries of ethical online behavior is critical, not just for avoiding legal trouble, but for building futures in a world that increasingly values digital skills. And for parents, staying engaged in their children’s digital lives has never been more important.
As the lines between curiosity, challenge, and criminality blur in the digital age, the need for vigilance, education, and collaboration across schools, families, and authorities has never been clearer.
