UK's Data Watchdog Warns Students Are Breaching Their Schools' IT Systems

The UK's data-protecting Information Commissioner's Office has issued a warning about what it calls a worrying trend, reports the BBC: "students hacking their own school and college IT systems for fun or as part of dares." Since 2022, the the Information Commissioner's Office (ICO) has investigated 215 hacks and breaches originating from inside education settings and says 57% were carried out by children. Other breaches are thought to come from staff, third party IT suppliers and other organisations with access. According to the new data, almost a third of the breaches involved students illegally logging into staff computer systems by guessing passwords or stealing details from teachers.

In one incident, a seven-year-old was involved in a data breach and subsequently referred to the National Crime Agency's Cyber Choices programme to help them understand the seriousness of their actions... In another incident three Year 11 students aged 15 or 16 unlawfully accessed school databases containing the personal information of more than 1,400 students. The pupils used hacking tools downloaded from the internet to break passwords and security protocols. When questioned, they said they were interested in cyber security and wanted to test their skills and knowledge. Another example the ICO gave is of a student illegally logging into their college's databases with a teachers' details to change or delete personal information belonging to more than 9,000 staff, students and applicants. The system stored personal information such as name and home address, school records, health data, safeguarding and pastoral logs and emergency contacts.

Schools are facing an increasing number of cyber attacks, with 44% of schools reporting an attack or breach in the last year according the government's most recent Cyber Security Breaches Survey.
"Youth cyber crime culture is a growing threat linked to English-speaking teen gangs," the article argues, noting breaches at major companies to suggest it's a kind of "gateway" crime.

The ICO's principal cyber specialist tells the BBC that "What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure."

Crappy IT security creates opportunity

[gweihir]

And as long as too many "decision makers" get away with bad IT security decisions, this will only get worse. With some LLM assistance (via an easy jail-break), even semi-skilled people can hack badly secured IT installations. This is not a surprise in any way. It is just one more effect of the race to the bottom that IT and IT security is taking, lead by cretins like Microsoft.

Re:

[phantomfive]

The solution is obvious.

We need to create a vibe coding program and mandate that all code be secured with AI. Repeating "Make it secure" multiple times in the Rules file will make it so.

Re:

[Rosco P. Coltrane]

I want to hire you as prompt engineer! - Sorry I meant types-question guy [youtu.be].

Re:

[phantomfive]

You don't need to hire a prompt engineer. Just ask ChatGPT to write prompts for Copilot. If you run into trouble just ask Claude to clarify.

I have a Perl script that chains 17 different AI Agents together. It takes the output from one and puts it into the output of the other. At the suggestion of my psychologist (Abby), I combined the output of some of the agents together in a tree. Now it all flows together in and out like a mysterious river. Fortunately I'm paid in LOC. I doublespace.

Re:

[quenda]

Wow! Joe Biden accurately predicted Vibe Coding!

"Gimme a break! Anybody who can throw coal into a furnace can learn how to program for God's sake."

Re:

[Rosco P. Coltrane]

Hmm no: I trust a coal miner to produce better code than an AI vibe coder.

Re:

[thsths]

Exactly.

Half the reason for user based security is to protect users from each other. That is the reason we have accounts in the first place.

So attacks from your own user base should always be on the radar.

Re:

[Murdoch5]

100%, was going to post something similar, and this really goes back to the other discussion about bad practices. Why aren't systems forced into MFA? People have learned bad cybersecurity practices through years of bad / useless cybersecurity education. I wrote my companies training because all the off the shelf solutions were terrible, not slightly lacking, terrible.

Re:

[gweihir]

Indeed. Too much theater, not enough understanding and often no understanding at all.

More recycling

[Big Hairy Gorilla]

If you have ever heard the sound of a modem with an acoustic coupler, raise your hand. Whoooo... were they ever slow.

In my freshman year at university of waterloo, there was a rumour that if you could hack into the compsci system, you could get a summer job.

Haha, does that sound precious now, or what?

Re:

[cruff]

BSD 2.8 (or 9 or 10) had a security hole where it was possible to read the tty input queue from memory. With a suitable program and enough time you could watch as a computer center staff member typed in the root password. From there it was just a matter of covering your tracks in the log files.

Re:

[atrimtab]

If you have ever heard the sound of a modem with an acoustic coupler, raise your hand. Whoooo... were they ever slow.

That's what Telebit Trailblazers [wikipedia.org] were for.

Re: More recycling

[Big Hairy Gorilla]

On a coop term I wrote some kind of data collection program for Dept of Fisheries and Oceans in Fortran77, and people in the field would upload their data via the acoustic coupler.

If I recall correctly my application worked at 110 bytes/sec

You read that correctly.

I don't think BSD was even a twinkle in anyone's eye in about .. 1981... we would have been using a minicomputer like VAX? Maybe Prime? Possibly HP... I'm guessing Prime, with their own proprietary OS. I doubt very much anyone had considered "secu

Re:

[John_Sauter]

On a coop term I wrote some kind of data collection program for Dept of Fisheries and Oceans in Fortran77, and people in the field would upload their data via the acoustic coupler.

If I recall correctly my application worked at 110 bytes/sec

You read that correctly.

I don't think BSD was even a twinkle in anyone's eye in about .. 1981... we would have been using a minicomputer like VAX? Maybe Prime? Possibly HP... I'm guessing Prime, with their own proprietary OS. I doubt very much anyone had considered "security".

What a time to be alive :-)

Actually, that was 110 bits per second, or 10 characters per second. A character transmission consisted of one start bit, eight data bits, and two stop bits. This allowed for an arbitrary time between characters, which was necessary because a character was transmitted when the operator pressed a key.

The next step up from acoustic coupling was the 300 bits per second modem.

I can't speak for HP or Prime, but those of us who worked on the DEC VAX were very concerned about security. We split the usual user

Re: More recycling

[Big Hairy Gorilla]

So funny. That sounds right to me. That byte layout rings a bell too.
By any measure, it was excruciatingly slow. But of course, at that tine, just being able to send even that little data over a phone line was practically magical. Thanks for the correction.

This is as old as computers and modem

[Rosco P. Coltrane]

I did it as a teenager and I'm close to retirement.

There's even a movie about it [wikipedia.org] from that time period.

Re:This is as old as computers and modem

[RitchCraft]

I did the war dial thing back in the early 80's too. I stopped when I got access to a local bank system. When prompted for login and password I simply pressed ENTER twice and was in. A holy shit moment hit me and I quickly disconnected hoping the feds wouldn't show up my door. I believe I was either 13 or 14 at the time.

Re:

[AmiMoJo]

I had a similar thing years ago. I noticed the RX light on my modem flashing periodically, even though I wasn't doing anything. Did a bit of analysis and saw it was ICMP packets coming from some random IP address. Back then firewalls were novel and computers responded to pings from the internet.

I tried telnet out of curiosity and got straight into some system at that IP address. Not sure what it was, but seemingly some kind of server with a lot of work related shared files on it. Financial info, employee re

Re:

[doesnothingwell]

I did the war dial thing back in the early 80's too. I stopped when I got access to a local bank system.

In the 00's I ran a windows PC open to the internet with NSA or DOD wallpaper. One guy started an email account to check his mail. I still keep that wallpaper around for laughs.

Re:

[CaptQuark]

I wonder if the password is still Pencil

https://www.youtube.com/watch?... [youtube.com]

Re:

[Anonymous Brave Guy]

Me too, though of course in our day, the world was much less connected and much less reliant on the technology. The worst we could have done after getting root access to the entire IT infrastructure at my school would have been look at what our classmates had been drawing in Paint or something. Today these systems host much more important and sensitive information and security breaches would be a much bigger deal.

And on that note, am I the only one less concerned by the behaviour of an impressively curious

Re:

[sarren1901]

What do you expect when the gym coach is your IT department?

Re:

[Matheus]

Hackers was also released exactly 30 years ago... HACK THE PLANET!!!

Is this 1983?

[ukoda]

Sounds like the script from the classic War Games movie from 1983.

Sprechen sie English?

[Anonymous Coward]

English-speaking teen gangs

Very important to know what language the teen gangs speak.

Re:

[Anonymous Coward]

We're talking about the UK. The word is maths, not math.
Do they teach physic in the US?

Re:

[DrMrLordX]

There might be some people in England that don't speak English (or German).

Re:

[Gilmoure]

Alex: "Dim, ya said you had an in. Do it now or it's a boot to yur bollocks!"

Dim: "It takes us a minute."

Teenage gangs and gateway crime?

[Uldis Segliņš]

Was there any example of a gang even mentioned? No. Crime? It is as much crime as crawling over a fence to get some apples. No need to overblow it out of proportions. What needs to be done instead - proper, basic security measures. Main one - proper password handling by teachers, who shoud be at least at basic IT level. Secondly proper IT staff and software, not something that can be hacked with a screwdriver or Notepad. Children will play, just like pups will dig and bite until they grow up and understand. If you leave your systems blatantly insecure, it is your fault, not childrens.

Re:

[IDemand2HaveSumBooze]

Yes, makes as much sense as cannabis being a 'gateway drug', or DnD being a gateway to satan worshipping. Same kind of nonsensical logic as someone who practices on a firing range inevitably becoming an assassin or someone who practices martial arts will use those to mug people. Clearly they've never heard of white hat hackers.

The problem is, people in positions of authority in education are often more or less completely computer-illiterate and view IT as black magic, so to them hackers are something akin t

Re:

[ConceptJunkie]

In my experience the two worst things to combine are "education system" and "technology".

If the script kiddies are hacking your system, you've got bigger problems.

Is "script kiddies" still a thing?

I'm so old.

Re:

[coofercat]

I've been trying to setup a tech club at my kids school. I wanted to do an actual hacking club, and then washed out the fun to just make a sort of introduction to Linux. The school said no to both (I'm currently working on a microelectronics club, but they may well say no to that too).

What I learned is that teachers have literally no time for anything. I mean none. Even "just" getting them to clear the way internally for me to take over an deliver the club was hard - and at that point they were pretty keen

Re:

[cusco]

my experience of "windows only" admins is that in general they're not actually terribly good.

**sigh**
As a Windows admin since NT3.51 I suppose I should take offense at that, except that you said "in general". Windows systems **CAN** be made secure, and for no cost and not much more training, but since politicians refuse to fund IT departments adequately the type of people they end up hiring tend to be close to the bottom of the barrel. I've encountered the same situation at police departments, public works, and our state data center. I've seen same thing happening wherever corporate executives p

Re:

[coofercat]

You're right - and yes, there are plenty of decent windows admins in the world, so I'm sorry to have lumped you in with the less talented. But I'll bet you're well beyond what any school could afford.

Re:

[ConceptJunkie]

I get so tired of hearing the school systems stress technology so much, because they are inevitably 20-30 years behind in their understanding of how to best utilize it, leave alone secure their systems. I always fantasized about teaching a computer class that didn't even touch a keyboard for the first half year...

I recall Windows 3.51 was quite secure for the time. But once they merged the DOS branch of the OS with the NT branch, things got a lot worse for several years.

It's good to hear AWS has never bee

Re:

[cusco]

When someone manages to get into AWS it will be the headline on SlashDot for weeks, and Amazon-haters will point it up as "another example of Amazon incompetence" for years down the road.

Re:

[ConceptJunkie]

> What I learned is that teachers have literally no time for anything.

The school system in the U.S. is notorious for this. Teachers get so much stuff dumped on them, much of which has little to do with actual teaching. It's a truly thankless job that cannot be fixed by dumping more money into the system. It's fundamentally broken. There are plenty of good teachers, but their effectiveness becomes more and more fettered every year.

Source: father of 4, and husband to a school teacher

Make it part of the curriculum

[ZipNada]

Students should be encouraged to try to hack the school IT system, and given a reward if they succeed. And in fact there should be a crippled model of the IT system that they can practice on. If you get in with significant privileges you get graded appropriately. Meanwhile the real system is siloed off somewhere and thoroughly backed up.

If kids can hack it, it's not secure

[misnohmer]

If random kids can hack the systems on a date by guessing passwords or other simple methods, the deployed IT security solution at the institution is essentially worthless. Imagine what a skilled hacker could do. Given the successful kid-dare hacks, state actors already own those networks and probably use them to hack other places. I hope the institutions don't pay real money for such IT security (then again, this could explain it).

Re:

[cusco]

Of course they don't, no school system administrator (or healthcare admin, or law enforcement admin, etc.) is going to pay an IT flunky more than they make. This is one case where "you get what you pay for" is true.

Re:

[ConceptJunkie]

The school administrators, unlike the people who actually make the schools work, such as it is, tend to be paid pretty well.

Until...

[YuppieScum]

...management stop seeing IT as a cost to be cut at every opportunity and are made to take responsibility for the subsequent failures, nothing will change.

Hack the planet!!!

[DrMrLordX]

They hacked the Gibson!

Imagine...

[Anonymous Coward]

...how effective that UK porn filter is for those teens.

Re:

[Anonymous Brave Guy]

We don't have a problem with teens viewing porn in the UK. It just doesn't happen any more. In fact, we've been remarkably effective at stopping it compared to half the other countries in Europe, which have seen a recent surge in porn viewing for reasons no-one can identify.

Former school IT guy here...

[wildstoo]

If a school gets pwned by a student, that's the school's fault. Not even necessarily the IT team's fault; if teachers leave their login details lying around that's not on the IT team, that's a failure to follow IT policy. If your IT policy doesn't say "don't leave your password lying around" then that probably is the IT team's fault - unless they couldn't get leadership buy-in, which is definitely possible. Some places treat teachers like royalty and such cruel restrictions would simply be beyond the pale..

Re:

[pjt33]

Back when my secondary school replaced its network of Acorn Archimedes with Pentiums running Win 95, all of the pupils started with the same password: lightly anonymised, it was xypupil. It didn't take long for some of us to guess that the teachers had all started with password xystaff, and not all of them had changed it... Curiously that didn't work for the headmaster's account. I don't know whether I was the only person to guess that his password was xyhead. One hopes that nowadays school IT staff are a b

Re:

[cusco]

Some places treat teachers like royalty

You should try dealing with a hospital, doctors are royalty and surgeons are gods. At one local hospital we swapped out the old keypad door latch on the doctors' door with a key card reader. The doctors threw a tantrum and we had a EMERGENCY SERVICE CALL the next day to swap it for a keypad reader, and they forced us to allow everyone to use the code 1992 since that was what it had been for the previous 15 years (this was after an armed ex-husband had previously entered that door using that code, mind you

And in other news...

[Chris Mattern]

The sky is blue and water is wet.

Kids!

[Anamon]

No-good kids! That would never have happened back in my day...

That reminds me how as teenagers, a friend and I injected a self-written "trojan" into the image which all classroom computers were reset with weekly (Norton Ghost, I think). It allowed us to put messages on the screens, open the CD-ROM drives, etc. of other computers during class.

I was pretty scared when they found out and I got a letter home, inviting me to a conversation with the head of the computer lab. I was sure I'd be kicked from the scho

Another former school IT tech...

[rickb928]

In 2000-2002 I managed security and infrastructure for a high school in Maine. This was a school with many very talented and diligent students. And some were learning to program in Turbo Pascal.

Someone either decided to, or did not notice the risks of, included the network libraries, something that was optional. I asked the publisher, and they confirmed, most school systems did not ask for that.

Sure enough, some students succeeded in writing a new GINA, intercepting attempted logins, and boom - they got a t

Guess how much a school IT administrator gets paid

[Rogue Bender]

I spend some time in a UK academy a few years back as a favour for a headmaster. Each secondary school had their own IT system, each was unique, and every man and his dog had some form of admin rights with a VMWare cluster underneath a WinTel solution and Google classrooms in the cloud. Add in teachers sticking malware laden USB sticks into their desktops (essential teaching materials) and connecting personal laptops to the network.

They were paying just over minimum wage for someone to manage and maintai