British Council Students’ Data Exposed in Major Breach
Hundreds of thousands of British Council students had their personal and login details exposed in a worrying data breach, according to an investigation by Clario researchers.
The team discovered an open Microsoft Azure blob repository indexed by a public search engine that held 144K+ of xmal, json and xls/xlsx files, with no authentication in place. These contained sensitive information about hundreds of thousands of students that had enrolled on British Council courses across the world. This included students’ full names, email addresses, student IDs, notes, student status, enrollment dates and study duration. It is not known how long this information was available online in public.
The breach was discovered on December 5 2021, and Clario informed the British Council as soon as they had confirmed their findings. However, they received no response. After 48 hours, contact was made via Twitter, and Clario engaged in regular communication with the organization via direct messages on the platform.
Two weeks later, on December 21, the British Council issued the following statement: “The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount.
“Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.
“We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.”
Clario stated: “Although they were not responsible for the data breach, errors made by the data provider they decided to work with have exposed these student details. This suggests that they need to be more rigorous in terms of how they select and work with third parties.”
British Council students have been warned that the breach may put them at risk of various scams, such as phishing and identity theft.
The British Council is a non-departmental public organization that aims to connect people in the UK and other countries through culture, education and the English language. In 2019-20, it connected with 80 million people directly and 791 million overall, including online and through broadcasts and publications.
At the end of last year, official data obtained from a Freedom of Information request revealed that the council had fallen victim to two successful ransomware attacks over the past five years, suffering a total of 12 days of downtime as a result.
More Stories
Former RAC Employees Get Suspended Sentence for Data Theft
Two former RAC employees have been handed suspended prison sentences for trading in personal data Read More
Over 240 Million US Breach Victims Recorded in Q3
Supply chain victim numbers surge as more than 240 million US residents are impacted by data breaches in Q3 2024...
Smashing Security podcast #388: Vacuum cleaner voyeur, and pepperoni pact blocks payout
Join us as we delve into the world of unexpected security breaches and legal loopholes, where your robot vacuum cleaner...
Lamborghini Carjackers Lured by $243M Cyberheist
The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist in August...
Apple’s iPhone Mirroring Flaw Exposes Employee Privacy Risks
The privacy flaw in Apple’s iPhone mirroring feature enables personal apps on an iPhone to be listed in a company’s...
New BeaverTail Malware Targets Job Seekers via Fake Recruiters
New BeaverTail malware targets tech job seekers via fake recruiters on LinkedIn and X Read More