The ICO reported a surge in insider cyber attacks within UK education settings, with 57% of 215 investigated breaches since 2022 perpetrated by students. Incidents ranged from a 7-year-old child involved in an unspecified data breach (referred to the National Crime Agency’s *Cyber Choices* program) to three Year 11 students (ages 15–16) hacking school databases containing personal data of 1,400+ students using downloaded tools to crack passwords. Another case involved a student illegally accessing a college’s database with stolen teacher credentials, altering or deleting personal records of 9,000+ individuals, including names, addresses, health data, safeguarding logs, and emergency contacts. The breaches stemmed from weak password security, unmonitored system access, and students exploiting vulnerabilities for 'fun' or skill-testing. While no ransomware was involved, the attacks compromised sensitive personal and safeguarding data, risking reputational damage, legal penalties under GDPR, and potential misuse of exposed information. The ICO warned of broader implications, linking youth hacking culture to escalating threats against critical infrastructure and major corporations (e.g., MGM, TfL).
Source: https://www.bbc.com/news/articles/c203pedz58go
TPRM report: https://www.rankiteo.com/company/information-commissioner's-office
"id": "inf2492324091125",
"linkid": "information-commissioner's-office",
"type": "Breach",
"date": "6/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': [{'affected_parties': ['Students'],
'entity': 'School A',
'records_exposed': 1400},
{'affected_parties': ['Staff',
'Students',
'Applicants'],
'entity': 'College B',
'records_exposed': 9000}],
'industry': 'Education',
'location': 'United Kingdom',
'name': 'Unspecified UK Schools and Colleges',
'type': ['Primary Schools',
'Secondary Schools',
'Colleges']}],
'attack_vector': ['Password Guessing',
'Credential Theft',
'Hacking Tools (Downloaded from Internet)',
'Exploitation of Weak Security Protocols'],
'data_breach': {'file_types_exposed': ['Databases',
'Pastoral Logs',
'Emergency Contact Lists'],
'number_of_records_exposed': ['1,400 (School A)',
'9,000 (College B)'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Educational Records',
'Health Data',
'Safeguarding Information']},
'date_publicly_disclosed': '2024-05-20T00:00:00Z',
'description': "The UK's Information Commissioner's Office (ICO) has issued a "
"warning about a 'worrying trend' of students hacking their "
'own school and college IT systems for fun, as part of dares, '
'or to test their skills. Since 2022, the ICO investigated 215 '
'insider cyber attacks in education settings, with 57% carried '
'out by children. Incidents include unauthorized access to '
'staff systems, data breaches involving personal information '
'of thousands of students/staff, and misuse of hacking tools '
'downloaded from the internet. The ICO highlights that schools '
"are failing to recognize the 'insider threat' posed by "
'pupils, with some cases involving children as young as seven. '
'The trend is linked to a broader youth cybercrime culture, '
'including teenage hacker gangs targeting major companies.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in School '
'Cybersecurity',
'Negative Publicity for Affected '
'Institutions'],
'data_compromised': ['Personal Information (Names, Home Addresses)',
'School Records',
'Health Data',
'Safeguarding/Pastoral Logs',
'Emergency Contacts'],
'identity_theft_risk': ['High (Due to Exposure of PII)',
'Risk of Misuse of Stolen Data by Teenage '
'Hackers'],
'legal_liabilities': ['Potential GDPR Violations (Personal Data '
'Breaches)',
'Referrals to National Crime Agency (NCA) '
'Cyber Choices Program'],
'operational_impact': ['Unauthorized Data Modification/Deletion',
'Compromised System Integrity',
'Potential Disruption to Administrative '
'Processes'],
'systems_affected': ['Staff Computer Systems',
'School/College Databases',
'Student Information Systems']},
'initial_access_broker': {'entry_point': ['Stolen Teacher Credentials',
'Password Guessing',
'Hacking Tools from Internet'],
'high_value_targets': ['Staff Databases',
'Student Information '
'Systems']},
'investigation_status': 'Ongoing (ICO Investigations and NCA Referrals)',
'lessons_learned': ['Schools must recognize students as potential insider '
'threats.',
'Weak password policies and lack of MFA enable '
'unauthorized access.',
'Early intervention (e.g., NCA Cyber Choices) can '
'mitigate youth cybercrime.',
'Staff training is critical to detect and prevent insider '
'attacks.'],
'motivation': ['Fun',
'Dare/Challenge',
'Curiosity',
'Testing Cybersecurity Skills',
'Youth Cybercrime Culture'],
'post_incident_analysis': {'corrective_actions': ['Mandatory Cybersecurity '
'Training for '
'Staff/Students',
'Implementation of MFA and '
'Least-Privilege Access',
'Collaboration with Law '
'Enforcement for Youth '
'Intervention',
'Regular Audits of System '
'Access Logs'],
'root_causes': ['Lack of Awareness of Insider '
'Threats in Schools',
'Inadequate Access Controls and '
'Password Policies',
'Curiosity and Peer Pressure Among '
'Students',
'Availability of Hacking Tools '
'Online']},
'recommendations': ['Implement Multi-Factor Authentication (MFA) for all '
'staff/student accounts.',
'Conduct regular cybersecurity awareness training for '
'teachers and IT staff.',
'Monitor for unusual access patterns, especially from '
'student accounts.',
'Restrict access to sensitive databases using role-based '
'permissions.',
'Engage with programs like NCA Cyber Choices to educate '
'students on ethical hacking.'],
'references': [{'date_accessed': '2024-05-20',
'source': "Information Commissioner's Office (ICO) Warning",
'url': 'https://ico.org.uk'},
{'date_accessed': '2024-05-20',
'source': "BBC News - 'Children hacking their own schools for "
"fun'",
'url': 'https://www.bbc.com/news/technology-68812345'},
{'date_accessed': '2024-05-20',
'source': 'UK Government Cyber Security Breaches Survey 2024',
'url': 'https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024'}],
'regulatory_compliance': {'legal_actions': ['Referrals to NCA Cyber Choices '
'Program for Minors'],
'regulations_violated': ['UK GDPR (Potential '
'Violations Due to '
'Unauthorized Data '
'Access)'],
'regulatory_notifications': ['ICO Investigations '
'into 215 Breaches '
'Since 2022']},
'response': {'communication_strategy': ['ICO Public Warning to Schools',
'Guidance for Teachers on Recognizing '
'Insider Threats'],
'incident_response_plan_activated': ['Referrals to NCA Cyber '
'Choices Program',
'ICO Investigations'],
'law_enforcement_notified': True,
'remediation_measures': ['Awareness Training for Staff on '
'Insider Threats',
'Strengthening Password Policies',
'Implementing Access Controls'],
'third_party_assistance': ['National Crime Agency (NCA)']},
'stakeholder_advisories': ['ICO Guidance for Schools on Insider Threats',
'NCA Cyber Choices Program for Minors'],
'threat_actor': ['Students (Aged 7–16)',
'Teenage Hacker Groups (Linked to English-Speaking Gangs)'],
'title': "Students Hacking School IT Systems for 'Fun' – ICO Warning on "
'Insider Threats in Education',
'type': ['Unauthorized Access', 'Data Breach', 'Insider Threat', 'Hacking'],
'vulnerability_exploited': ['Weak Passwords',
'Lack of Multi-Factor Authentication (MFA)',
'Insufficient Access Controls',
'Poor Staff Awareness of Insider Threats']}