Schools Face Rising Cybersecurity Threats from Students

Insider threats are emerging as a significant challenge for information technology teams, particularly in educational settings. A recent report from the United Kingdom’s Information Commissioner’s Office (ICO) has revealed a startling statistic: over half of personal data breaches in schools are perpetrated by the students themselves. This finding highlights a pressing issue in cybersecurity, where the focus often lies on external threats.

The ICO’s report coincided with the conclusion of Insider Threat Awareness Month for 2025, which carried the theme “Partnering for Progress.” This initiative aimed to address a critical gap in enterprise security—the disconnect between identity management and the mitigation of insider threats. Many cybersecurity experts emphasize that effective identity management is essential for early detection of misuse before it escalates into a significant breach.

Surprisingly, schools, often viewed as safe havens for children, are now being recognized as potential hotspots for insider cybersecurity incidents. According to the ICO, a notable 57% of data breaches in educational institutions are attributed to students. This data challenges the traditional perception of schools as low-risk environments for cybersecurity incidents.

Pete Luban, Field Chief Information Security Officer at AttackIQ, provided insights into the motivations behind these breaches. “Dares, money, rivalries, and the desire for notoriety are among the most common reasons students carry out these hacks,” Luban explained. The report indicates that inadequate security measures and practices facilitated these breaches, with many incidents resulting from students guessing common passwords or discovering login details written down.

To combat this growing issue, Luban emphasizes the need for schools to enhance their cybersecurity practices. “Educational institutions must do a better job of protecting sensitive information,” he stated. Implementing proper cyber hygiene protocols, such as strengthening password requirements and limiting student access to sensitive information, could significantly mitigate risks. For more complex cyber incidents, schools should evaluate their cybersecurity systems and adopt proactive measures to address vulnerabilities.

Luban also stresses the importance of educating students about the consequences of cyberattacks. He argues that reinforcing data protection principles and individual data rights will not only raise awareness about potential punishments for engaging in cyber misconduct but also reduce the likelihood of students becoming victims of cyber malpractice themselves.

The findings of this report serve as a wake-up call for educational institutions worldwide. As the landscape of cybersecurity continues to evolve, it is crucial for schools to take a proactive stance in safeguarding sensitive information. By implementing robust security measures and fostering an informed student body, schools can better protect themselves against the rising tide of insider threats.