UK students treat hacking school systems as a game, warns ICO

Kids in the UK aren’t just sneaking extra snacks into their backpacks. They’re sneaking into their schools’ computer systems. 

According to the country’s Information Commissioner’s Office (ICO), students are behind a whopping 57% of personal data breaches in schools. Yes, more than half.

The watchdog looked at 215 reported breaches that originated inside schools and found that a lot of them were surprisingly low-tech. 

About a third came down to kids either guessing super obvious passwords or stumbling across login details teachers had left lying around. Turns out Post-it notes are the real enemy of cybersecurity.

That’s not to say the students didn’t occasionally flex some actual hacker cred. 

In one example, three Year 11 students managed to crack into a school’s information system by brute-forcing passwords and bypassing security protocols. 

Two of them even admitted to hanging out on a hacking forum, because nothing says “future cybercriminal” like swapping tips online between homework assignments.

The ICO’s report reads less like a dry government memo and more like a cautionary tale: today it’s dares, rivalries, and revenge. Tomorrow, it could be ransomware attacks on critical infrastructure. (Via: TechCrunch)

Heather Toomey, principal cyber specialist at the ICO, put it bluntly: “What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks.” Translation: today’s detention is tomorrow’s FBI watchlist.

The breaches weren’t all kids’ fault, though. 

About a quarter stemmed from teachers letting students borrow their devices, 20% came from staff mixing personal and professional devices, and another 17% happened because of sloppy access controls on platforms like SharePoint. 

Basically, weak security gave students an open invitation to snoop around.

Calling the findings worrying, the ICO urged schools to refresh their GDPR training, tighten up cybersecurity practices, and, importantly, report breaches on time. 

Because while students might think hacking into the system is just a bit of fun, regulators are quick to point out it’s also a bit illegal.

Should schools focus more on cybersecurity education to channel students’ hacking interests constructively, or implement stricter punishments to deter these breaches? Is the real problem student curiosity, or are schools simply not taking basic security measures seriously enough to protect sensitive data? Tell us below in the comments, or reach us via our Twitter or Facebook.