Page 10 - ELG2202 Feb Issue 479
P. 10
BUSINESS NEWS .
Security breach a potential nightmare
A British Council data leak has exposed thousands of students’ information
hese days, we’re all aware
of the dangers of our
online information being
T hacked. We’re told to
change our passwords frequently,
not share them and to be wary
of anything that looks ‘phishy’ WORDS LIZ GRANIRER. PHOTO SHUTTERSTOCK
online. However, no person or
organisation is immune. A recent
victim is the British Council,
which works around the world
to promote arts and culture,
education and the English
language to build ‘understanding
and trust’. In the 2019/2020
timeframe alone, it connected
with 80 million people and its
data base is huge.
Back on 5 December 2021,
an independent cybersecurity
researcher, Bob Diachenko, who
was working with cybersecurity
software manufacturer Clario,
discovered a data leak on the
British Council’s site.
According to Diachenko took two weeks from then for the “We have reported the incident • The British Council has rigorous
and the team he was working breach to be secured. in accordance with our regulatory global data protection processes
with, they found an “open and A British Council spokesperson obligations and we remain in in place and takes its
unprotected Microsoft Azure gave the following response: contact with the Information responsibilities under the Data
blob repository. This contained “We are aware that approximately Commissioner’s Office should any Protection Act 2018 and
144K+ files with personal and 10,000 customer records held and further action be required. General Data Protection
login details of British Council processed by a third-party service “The British Council takes its Regulations (GDPR) very
students…” The information provider became exposed in responsibilities under the Data seriously. The privacy and security
available from this exposure December last year. The data in Protection Act 2018 and General of our customers’ personal
included the students’ names, question was held and processed Data Protection Regulations information is paramount. We
email addresses, their student IDs, by a third-party service provider. (GDPR) very seriously. The are working closely with our
student status, enrolment dates Approximately 10,000 records privacy and security of personal third-party data providers to
and duration of study. were accessible in a way that information is paramount.” ensure any data management
No one knows how long should not have occurred. On In a written communication, gaps are closed swiftly and that
this data had been visible, but becoming aware of this, our the British Council has further similar incidents do not happen
Diachenko’s team contacted third-party service provider stated: in the future.
the British Council the same immediately secured the records • The exposed data was not of a
day they found it – and had with appropriate controls nature that it would adversely Clario is keen to point out
no response. After 48 hours, and the data in question was affect the individuals involved, that this data breach follows two
the team contacted the British rendered no longer accessible. so at this stage there has been successful ransomware attacks
Council again, this time through We are working with the supplier no need for any further action on the organisation in the past
Twitter, and they received a reply. to ensure similar incidents do on our part in relation to our five years and that it’s not a good
el.gazette_print.pdf 2 09/02/2022 17:58
According to the Clario team, it not happen in the future. third-party data provider. look for the BC’s reputation.
C
M
Y
CM
MY
CY
CMY
K
10 February 2022
