British Council Students’ Data Exposed in Major Breach
Hundreds of thousands of British Council students had their personal and login details exposed in a worrying data breach, according to an investigation by Clario researchers.
The team discovered an open Microsoft Azure blob repository indexed by a public search engine that held 144K+ of xmal, json and xls/xlsx files, with no authentication in place. These contained sensitive information about hundreds of thousands of students that had enrolled on British Council courses across the world. This included students’ full names, email addresses, student IDs, notes, student status, enrollment dates and study duration. It is not known how long this information was available online in public.
The breach was discovered on December 5 2021, and Clario informed the British Council as soon as they had confirmed their findings. However, they received no response. After 48 hours, contact was made via Twitter, and Clario engaged in regular communication with the organization via direct messages on the platform.
Two weeks later, on December 21, the British Council issued the following statement: “The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount.
“Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.
“We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.”
Clario stated: “Although they were not responsible for the data breach, errors made by the data provider they decided to work with have exposed these student details. This suggests that they need to be more rigorous in terms of how they select and work with third parties.”
British Council students have been warned that the breach may put them at risk of various scams, such as phishing and identity theft.
The British Council is a non-departmental public organization that aims to connect people in the UK and other countries through culture, education and the English language. In 2019-20, it connected with 80 million people directly and 791 million overall, including online and through broadcasts and publications.
At the end of last year, official data obtained from a Freedom of Information request revealed that the council had fallen victim to two successful ransomware attacks over the past five years, suffering a total of 12 days of downtime as a result.
More Stories
CISA Launches Playbook to Boost AI Cybersecurity Collaboration
CISA launched the JCDC AI Cybersecurity Playbook to enhance collaboration on AI cybersecurity risks Read More
Multi-Cloud Adoption Surges Amid Rising Security Concerns
A new report from Fortinet reveals increased adoption of multi-cloud strategies and hybrid implementations combining on-premises and public cloud infrastructure...
Chinese PlugX Malware Deleted in Global Law Enforcement Operation
The FBI deleted Chinese PlugX malware from thousands of devices in the US, using a technique developed by French cybersecurity...
Illicit Crypto-Inflows Set to Top $51bn in a Year
Chainalysis estimates threat actors made at least $51bn through crypto crime in 2024 Read More
Phishing False Alarm
A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to...
Fortinet Confirms Critical Zero-Day Vulnerability in Firewalls
The security provider published mitigation measures to prevent exploitation Read More