A British Council data leak has exposed thousands of students’ information

These days, we’re all aware of the dangers of our online information being hacked. We’re told to change our passwords frequently, not share them and to be wary of anything that looks ‘phishy’ online. However, no person or organisation is immune. A recent victim is the British Council, which works around the world to promote arts and culture, education and the English language to build ‘understanding and trust’. In the 2019/2020 timeframe alone, it connected with 80 million people and its data base is huge.

Back on 5 December 2021, an independent cybersecurity researcher, Bob Diachenko, who was working with cybersecurity software manufacturer Clario, discovered a data leak on the British Council’s site.

According to Diachenko and the team he was working with, they found an “open and unprotected Microsoft Azure blob repository. This contained 144K+ files with personal and login details of British Council students…” The information available from this exposure included the students’ names, email addresses, their student IDs, student status, enrolment dates and duration of study.

No one knows how long this data had been visible, but Diachenko’s team contacted the British Council the same day they found it – and had no response. After 48 hours, the team contacted the British Council again, this time through Twitter, and they received a reply. According to the Clario team, it took two weeks from then for the breach to be secured.

A British Council spokesperson gave the following response: “We are aware that approximately 10,000 customer records held and processed by a third-party service provider became exposed in December last year. The data in question was held and processed by a third-party service provider. Approximately 10,000 records were accessible in a way that should not have occurred. On becoming aware of this, our third-party service provider immediately secured the records with appropriate controls and the data in question was rendered no longer accessible. We are working with the supplier to ensure similar incidents do not happen in the future.

“We have reported the incident in accordance with our regulatory obligations and we remain in contact with the Information Commissioner’s Office should any further action be required.

“The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount.”

In a written communication, the British Council has further stated:

• The exposed data was not of a nature that it would adversely affect the individuals involved, so at this stage there has been no need for any further action on our part in relation to our third-party data provider.
• The British Council has rigorous global data protection processes in place and takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously.Theprivacyandsecurity of our customers’ personal information is paramount. We are working closely with our third-party data providers to ensure any data management gaps are closed swiftly and that similar incidents do not happen in the future.

Clario is keen to point out that this data breach follows two successful ransomware attacks on the organisation in the past five years and that it’s not a good look for the BC’s reputation.