UK School Hacking by Students: Dares and Notoriety

Student Involvement in U.K. School Data Breaches

A concerning trend is emerging in the U.K.’s cybersecurity landscape: a significant number of personal data breaches in schools are being perpetrated by students, rather than external malicious actors.

ICO Findings on Internal Security Incidents

Analysis conducted by the Information Commissioner’s Office (ICO) reveals that students were responsible for over half of all personal data breaches reported by schools. This assessment was based on a review of 215 data breach reports stemming from incidents originating within educational institutions.

Specifically, the ICO determined that 57% of these security compromises were directly attributable to student activity.

Common Vulnerabilities Exploited by Students

A substantial portion of these breaches, almost one-third, occurred because students were able to successfully guess frequently used passwords. Alternatively, login credentials were discovered in written form, readily accessible to students.

While most incidents were relatively simple, the ICO noted that a small percentage – 5% – involved the utilization of more advanced techniques to circumvent security measures and network controls.

Sophisticated Hacking Activity

An example cited by the regulator involved three Year 11 students who successfully infiltrated a school’s student information system. They employed tools designed to crack passwords and bypass established security protocols.

Notably, two of the students involved admitted to active participation within a hacking forum, indicating a broader engagement with malicious online communities.

Potential for Long-Term Cybercrime

The ICO report emphasizes the potential for these early actions to have lasting consequences, stating, “Children are hacking into their schools’ computer systems — and it may set them up for a life of cyber crime.”

Motivations Behind Student Hacking

Several factors appear to be driving this behavior among students. These include dares, the pursuit of notoriety, financial gain, acts of revenge, and existing rivalries.

Escalation of Risk

Heather Toomey, principal cyber specialist at the ICO, cautioned that seemingly harmless initial actions can escalate into more serious cyberattacks. “What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure,” she explained.

Contributing Factors Beyond Student Actions

The report also highlighted weaknesses in data protection practices within schools. Nearly a quarter of breaches were facilitated by teachers allowing students to use their personal devices.

Furthermore, 20% of hacks were linked to staff utilizing personal devices for work-related tasks, and 17% resulted from inadequate access controls for systems such as Microsoft SharePoint.

ICO Recommendations for Schools

Describing its findings as “worrying,” the ICO is urging schools to proactively address these vulnerabilities. Recommendations include refreshing GDPR training for staff, enhancing overall cybersecurity and data protection practices, and ensuring timely reporting of any data breaches.

Strengthening these areas is crucial to mitigating the risk of future incidents and protecting sensitive student data.