More than 100,000 files including student records from the British Council were discovered online. A cybersecurity firm uncovered an unsecured Microsoft Azure blob on the internet, which revealed student names, IDs, usernames, email addresses, and other sensitive information. The British Council, founded in 1951 in London, is a British organization that promotes worldwide cultural and educational possibilities. It works in over 100 countries to promote cultural, scientific, technological, and educational interaction with the UK as well as a better understanding of the UK and the English language.
Clario, a cyber security firm, and security researcher Bob Diachenko discovered the breach on December 5th, 2021, and immediately contacted the British Council. According to the researchers, a public search engine identified an insecure Azure blob container containing hundreds of readable Excel spreadsheets and XML/JSON files. Personal information of hundreds of thousands of learners and students of British Council English courses from throughout the world was contained in these files. The researchers note that it is unclear how long this content was available to the public online without authentication.
The British Council issued a statement about the incident on December 23rd, “The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The Privacy and security of personal information is paramount. Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.”
“We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required,” the council added.
One of the key worries the researchers had at the time was the danger of phishing actors and identity thieves gaining access to this information. After not hearing back from the British Council for 48 hours, the researchers tried to contact again, this time via Twitter, which is where further communication between the two sides took place.
According to the British Council, despite the fact that the researchers uncovered over 144,000 files, just roughly 10,000 student records were impacted. The discovery of this data leak comes in the wake of a report last month that stated the British Council had been the target of "two successful ransomware assaults over the past five years," in addition to six unsuccessful efforts by ransomware operatives. The British Council apparently faced 12 days of downtime as a result of these attacks—five days in the first case and seven days in the second. However, neither time did the organization pay a ransom.