A third-party data breach has exposed at least 10,000 records held by the British Council, a public sector organization that provides English language courses worldwide.
The security incident was reported on December 5, 2021 by researchers from Clario when they discovered an open and unprotected Microsoft Azure blob repository.
A blob container was indexed by a public search engine, said Clario, which they claim contained more than 144,000 of xml, json, and xls/xlsx files.
These datasets featured personal data belonging to students from around the world, including full names, email addresses, student IDs, enrollment dates, and durations of study.
“It is unknown for how long this data was available online in public, with no authentication in place,” Clario said in a blog post on its Mackeeper website.
At risk
Researchers contacted the British Council on December 5, and then on December 23 the institution confirmed what they had found.
Clario researchers said that the repository “personal and login details of British Council students, potentially putting them and their personal information at risk”.
In an email to The Daily Swig, a spokesperson for the British Council said that 10,000 records were “accessible in a way that should not have occurred”.
The spokesperson said: “The data in question was held and processed by a third-party service provider. Approximately 10,000 records were accessible in a way that should not have occurred.
“On becoming aware of this, our third-party service provider immediately secured the records with appropriate controls and the data in question was rendered no longer accessible.
“We are working with the supplier to ensure similar incidents do not happen in the future.
“We have reported the incident in accordance with our regulatory obligations and we remain in contact with the Information Commissioner’s Office should any further action be required.
“The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount.”
The Daily Swig has reached out to the British Council to clarify whether the 10,000 records contained 144,000 files, or if it disputes Clario’s findings.
Next steps
The British Council, which was founded by the UK government in 1934, promotes cultural relations and educational opportunities overseas.
Clario advised any individual that may have been affected to change their passwords immediately and be on the lookout for suspicious-looking emails or links.
The blog post added: “Follow your instincts. Is that email or website looking dodgy? Did you suddenly get an advertisement, asking you to join a promo? Stay on high alert after a data breach to make sure you don’t fall victim to a scam.”
Source: https://portswigger.net/daily-swig/british-council-data-breach-leaks-10-000-student-records