British Council Students’ Data Exposed in Major Breach
Hundreds of thousands of British Council students had their personal and login details exposed in a worrying data breach, according to an investigation by Clario researchers.
The team discovered an open Microsoft Azure blob repository indexed by a public search engine that held 144K+ of xmal, json and xls/xlsx files, with no authentication in place. These contained sensitive information about hundreds of thousands of students that had enrolled on British Council courses across the world. This included students’ full names, email addresses, student IDs, notes, student status, enrollment dates and study duration. It is not known how long this information was available online in public.
The breach was discovered on December 5 2021, and Clario informed the British Council as soon as they had confirmed their findings. However, they received no response. After 48 hours, contact was made via Twitter, and Clario engaged in regular communication with the organization via direct messages on the platform.
Two weeks later, on December 21, the British Council issued the following statement: “The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount.
“Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.
“We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.”
Clario stated: “Although they were not responsible for the data breach, errors made by the data provider they decided to work with have exposed these student details. This suggests that they need to be more rigorous in terms of how they select and work with third parties.”
British Council students have been warned that the breach may put them at risk of various scams, such as phishing and identity theft.
The British Council is a non-departmental public organization that aims to connect people in the UK and other countries through culture, education and the English language. In 2019-20, it connected with 80 million people directly and 791 million overall, including online and through broadcasts and publications.
At the end of last year, official data obtained from a Freedom of Information request revealed that the council had fallen victim to two successful ransomware attacks over the past five years, suffering a total of 12 days of downtime as a result.
More Stories
Microsoft Fixes Security Flaw in Windows Screenshot Tools
Information disclosure vulnerability aCropalypse could enable malicious actors to recover sections of screenshots Read More
Three Variants of IcedID Malware Discovered
The new variants hint that considerable effort is going into the future of IcedID and its codebase Read More
New MacStealer Targets Catalina, Newer MacOS Versions
The malware can extract information from documents, browser cookies and login information Read More
Can zero trust be saved?
Graham Cluley Security News is sponsored this week by the folks at Kolide. Thanks to the great team there for...
Part of Twitter source code leaked on GitHub
Part of Twitter’s source code has been leaked and posted on GitHub by an unknown user. GitHub took down the...
Hacks at Pwn2Own Vancouver 2023
An impressive array of hacks were demonstrated at the first day of the Pwn2Own conference in Vancouver: On the first...