Student working on laptop showing data breaches in schools

UK ICO: Students Are Responsible for Most School Data Breaches, Ushering Them Into Cybercrime

Students are responsible for most school data breaches in the United Kingdom, according to a new report by the U.K. Information Commissioner’s Office (ICO).

The report analyzed 215 insider data breach reports from schools across the country and found that students accounted for 57% of the incidents.

Alarmingly, nearly a third (30%) of the cyber incidents stemmed from leaked, compromised, or weak credentials, of which students were responsible for 97%.

Nevertheless, the U.K. privacy regulator warned that students involved in school data breaches could be on the path to cybercrime.

Worrying trend of school data breaches

As to how the students obtained these passwords, the ICO says that they either guessed them or found them written on pieces of paper. Subsequently, students were not breaking into school systems but simply logging in into poorly protected devices.

Nevertheless, the ICO warned that breaking into school computer systems was setting up teenagers for a life of cybercrime.

“That’s the warning from us, as we have spotted a worrying pattern behind the culprits responsible for personal data breach reports from schools,” the ICO said.

The study follows a damning report by the U.K.’s National Crime Agency (NCA) stating that one in five minors between 10 and 16 years was engaging in illegal online activity.

“Teen hackers are commonly English-speaking males, and around 5% of 14-year-old boys and girls admit to hacking,” the privacy regulator stated.

Reasons for hacking include dares, gaining notoriety, financial gain, revenge, and teen rivalries. However, some students expressed genuine interest in IT and cyber security.

Nevertheless, some admitted to using downloaded sophisticated hacking tools to breach passwords and security protocols, and even to being members of online hacking forums. Shockingly, some children referred to the NCA were as young as seven years old.

“What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure,” warned Heather Toomey, Principal Cyber Specialist.

Toomey stressed the need to understand the students’ interests and motivations in online activity to ensure they do not break the law and develop useful IT skills.

“It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists,” noted Toomey.

Poor data protection practices in school data breaches

Meanwhile, the report also found that negligence played a significant role in school data breaches, including some involving students.

For example, the ICO reported that nearly a quarter (23%) of school data breaches stemmed from poor data protection practices, such as staff illegitimately accessing data, unattended devices, and students using staff computers.

Similarly, a fifth (20%) of data breaches occurred due to staff sending private data to personal devices, while 17% stemmed from poor access rights configuration.

“There are a couple of takeaways from this news,” said Pete Luban, Field CISO at AttackIQ. “The most important is that educational institutions must do a better job of protecting sensitive information. Proper cyber hygiene protocols, such as strengthening passwords and removing student access to them, would solve a large portion of the problems.”

However, 5% of school data breaches stemmed from insiders using sophisticated attacks that circumvent security and network controls.

“For the smaller portion of incidents that required more advanced technical skills, schools need to evaluate their cyber defense systems and implement proactive measures that are able to close the gaps that students were exploiting,” Luban added.

The ICO also called on schools to take adequate steps to enhance their cyber defenses and data protection measures to avoid tempting students into breaking into poorly protected computer systems.

“Additionally, students must be made aware of the consequences of carrying out these attacks,” Luban concluded.