Children are marking the UK's cybersecurity field, but not in the way their parents want it. According to the National Intelligence Committee (ICO), students were behind more than half of the school's personal data breaches.
In warnings to teachers and educational institutions, the ICO outlined an analysis of 215 data breaches reports resulting from security incidents within the school, finding that 57% of hacks were plucked by students.
It was discovered that students had guessed commonly used passwords or simply wrote down login details for each ICO, making almost a third of violations possible.
However, the ICO said a small number of incidents (5%) needed a more sophisticated approach to bypass security and network control. Regulators provided examples of how third-grade students used tools to break passwords and bypass security protocols to hack into school student information systems. The two students confessed to being part of the hacking forum.
“Children are hacking into school computer systems, and they may set them up for a cybercrime life,” the report reads.
The warning dares to say that infamy, money, revenge and competition are one of the reasons why kids say they're hacking into the system.
“Don't worry, a little fun in a school setting can ultimately lead to participation in the attack,” said Heather Tohmy, a leading cyber specialist at ICO, in a statement. “Day, a challenge, a little fun in a school setting, could lead to children taking part in attacks on organizations and attacks on critical infrastructure.”
The report shed more light on how these violations occurred. Almost a quarter of data breaches utilized weak data protection practices, such as teachers who let students use the device. 20% of hacks were caused by staff using personal devices for their work. Additionally, 17% of violations have occurred due to inappropriate access controls on systems such as Microsoft SharePoint.
The ICO called its findings “worry,” urging schools to help address these issues by updating GDPR training, improving cybersecurity and data protection practices, and reporting violations on time.