The UK privacy regulator and ZATAZ warn: cyberattacks against schools often come from students, driven by challenges or revenge, sometimes sliding into long-term cybercrime. ZATAZ provides figures showing the same problem in France.
The UK Information Commissioner’s Office (ICO) is warning about the rise in cyberattacks targeting schools, often carried out by their own students. Between 2022 and 2024, more than half of the reported breaches originated from students, sometimes motivated by testing their skills, seeking notoriety, or financial gain. The ICO and the National Crime Agency (NCA) highlight the risk of an early slide into cybercrime. A parallel survey conducted by ZATAZ in French schools shows massive exposure of students to digital tools, AI, and pirated software, underlining the urgency of targeted prevention.
Teenagers at the heart of school cyberattacks
UK schools face an unprecedented threat: cyberattacks launched from within, by their own students. The ICO recorded 215 incidents linked to insider threats in the education sector between January 2022 and August 2024. In 57% of cases, the perpetrators were students. Motivations ranged from technical challenges, notoriety, financial gain, or personal rivalries. ZATAZ interviewed a young former hacker who, at just 16, had become the queen of carding—bank card fraud.
The ICO illustrates this trend with three Year 11 students who hacked their school’s management system using tools downloaded online. Questioned, they explained they wanted to test their cybersecurity skills and admitted to participating in a hacker forum. In another case, a student used a teacher’s credentials to access school databases, modifying or deleting the personal information of more than 9,000 staff, students, and applicants. What starts as a school challenge can escalate into large-scale attacks against organizations or critical infrastructure. Parents and teachers are urged to regularly discuss children’s digital practices.
This year, several French schools requested ZATAZ workshops on this subject, which has been in preparation since 2020. Serious alerts pushed for this initiative. A single (music track) released in January 2025, part of the album 92829, also carried the message: students could ruin their future with just one mouse click.
During Cybersecurity Month in October, about fifteen schools (roughly 2,000 students from grades 8 and 9) will engage with exclusive examples and demonstrations created by ZATAZ. Teachers and school leaders described the content as both exclusive and innovative.
In recent days, 360 students have already been reached. Below, early insights from these sessions. A survey was conducted anonymously using a tool built for the occasion, with findings later shared with parents during evening workshops.
From technical curiosity to criminal shift
The NCA warns of the thin line between experimentation and cybercrime. It reports that one in five UK children aged 10 to 16 has already engaged in illegal online activity. The NCA’s Cyber Choices program, which aims to redirect young people towards legal use, documented one case as early as age seven.
In July, the NCA arrested four individuals, including three teenagers, suspected of participating in a ransomware campaign against UK retailers. These cases highlight that emerging cybercriminals are often young men. The ICO confirms that about 5% of 14-year-olds admit to having hacked a system. In Spain, a teenager in Andalusia was arrested after finding a way to alter his grades.
In France, ZATAZ has documented several similar cases.
Poor data protection practices worsen school vulnerabilities. Examples include unattended computers, staff with unjustified access to sensitive data, teachers’ and students’ machines compromised by spyware, or students granted permissions on teaching equipment. Yet only 5% of documented incidents involved sophisticated bypass techniques. Most resulted from internal errors or negligence. For instance, ZATAZ’s monitoring service has issued over 600 alerts since September 1 concerning schools (public and private).
Survey reveals early exposure among students
A ZATAZ survey in French schools (mid-September) revealed massive student familiarity with digital tools but also a worrying proximity to risky practices.
All surveyed students (47 randomly chosen out of 360 met during the week of September 15) said they had used the internet that very morning upon waking. 21.3% reported experiencing cyber incidents [mostly social media account hacks] affecting themselves or close friends.
More than one-fifth (21.3%) knew their parents’ passwords, and 6.4% knew those of classmates. Generative AI use is nearly universal: 93.6% reported using ChatGPT, with some also citing Gemini or DeepSeek.
Social media presence is very high: 55.3% manage between one and three accounts, nearly 40% more than three. Only three students (6.4%) claimed to have none.
Exposure to hacking practices is clear. One 13-year-old student (8th grade) knew of LockUp, a pirated tool aggregating personal data from leaks, including real-time data from corporate admin tools. An example screenshot of such a data stealer is provided below.
When asked about using passwords that did not belong to them, 16 students (34%) said yes. Pirated software use was also widespread: 3 students (6.4%) tested keyloggers, 19 (40.4%) used game cheat programs [likely compromised by stealers/Trojans], and 2 (4.3%) tested infostealers. However, 26 students (55.3%) stated they had not used any such software. Since the survey was anonymous, results are likely honest.
These findings support the ICO’s analysis: unchecked technological curiosity can quickly turn into illegal activity. Educational workshops and prevention programs are essential to channel this interest into legitimate cybersecurity paths. In October, ZATAZ will meet with several hundred more students and share new, concrete figures by the end of the month.
It is not new, but schools today are becoming involuntary training grounds for future cybercriminals. With youth already massively exposed to digital tools and pirated software, prevention is the first line of defense. The key question remains: will schools transform this early interest into a cybersecurity talent pool, or will it remain an internal threat? [ZATAZ News English version]
