Privacy

Report: Unsecured Student Details Discovered at British Council’s Data Provider

MacKeeper has collaborated with independent cybersecurity researcher Bob Diachenko to unveil and responsibly report the incident described in this data breach report.

The British Council's Data Provider Exposed Students Details

The British Council is one of the world’s leading champions of education and empowering young people to learn English and transform their lives through learning and qualifications. But it seems the organization and its data provider could learn some lessons of its own when it comes to cybersecurity and protecting its data.  

 

Our team recently found an open and unprotected Microsoft Azure blob repository. This contained 144K+ files with personal and login details of British Council students, potentially putting them and their personal information at risk.  

Company Profile  

The British Council is a British organization specializing in offering international cultural and educational opportunities.  

 

The organization operates in more than 100 different countries across the world with its mission to promote greater knowledge of the UK and the English language.  

 

In 2019-20, the council connected with 80 million people directly and with 791 million overall, including online and through broadcasts and publications.

Timeline

Data Leak Discovered

     December 5th, 2021       

Reported On     December 5th, 2021
Was the Issue addressed?

Yes

Comment provided by the British Council?  

Yes

 

Data Exposure Summary

A blob container was indexed by a public search engine and contained 144K+ of xml, json and xls/xlsx files.  

 

These were structured to include various pieces of information about hundreds of thousands of British Council English course learners' and students' details across the globe. This information included:  

  • Full name
  • Email address
  • StudentID
  • Notes
  • Student status
  • Enrollment dates
  • Duration of study
British Council’s Student Details Exposed in Data Breach

It is unknown for how long this data was available online in public, with no authentication in place.

 

As soon as the sensitivity of the data and the owner of the repository were confirmed, the British Council was contacted but failed to respond. After 48 hours, the organization was contacted via Twitter and since then communication has been through direct messages on the platform.

 

On December 23rd, 2021 (two weeks after the initial contact), confirmation of the security of the repository was announced. The British Council also provided the following statement.  
 

The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The Privacy and security of personal information is paramount.

 

Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.  

 

We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.

 

* * *

Data breach impact  

While many British Council students are looking to expand their knowledge by studying with the organization, the exposure of their sensitive information could have put them at risk from a variety of different scams.  

User impact  

Identity theft or fraud  

If scammers have access to personal details such as name, contact details and, in this case, student status, then students could have become victims of identity fraud. Examples in this case could include stealing qualifications or buying products in the name of students.  

Phishing  

Phishing is a form of cybercrime committed by cybercriminals if they can access personal details. The more personal information they have, the more convincing their scams can trick users into giving up sensitive information. In this case, email address, student name and other details could have been used to trick them into handing over more details or money.  

Impact on British Council

There are challenges for the British Council if this data breach becomes common knowledge. It also follows a history of issues surrounding cybersecurity. A recent report revealed how the organization has been a victim of two successful ransomware attacks over the past five years, official figures have shown.

 

The data, obtained from a freedom of information (FoI) request revealed that the British Council suffered a total of 12 days of downtime due to the incidents; five days in the first and seven in the second.

Loss of reputation

Loss of reputation is a concern for the British Council. Although they were not responsible for the data breach, errors made by the data provider they decided to work with have exposed these student details. This suggests that they need to be more rigorous in terms of how they select and work with third parties. If it did become a news story, then it would be linked to previous data breaches to emphasize the council’s poor track record with cybersecurity.    

At risk of hackers

With this information exposed, hackers could also use this data to target the British Council and exploit vulnerabilities in their IT infrastructure for their own malicious ends. For example, hackers could open bank accounts, take out loans or make expensive financial purchases in your name. They could use this information to access your online accounts such as with different stores or financial service providers.  

How to stay safe from data breaches

At MacKeeper, we work round the clock to ensure the personal data of our users is kept secure. In case of a data breach, we advise:  

  • Log in to your account and change your login passwords immediately

This is the easiest way to ensure nobody gains access to your account, especially if you update it as soon as possible after the breach has occurred. Remember that your passwords should be updated every 180 days.  

  • Cautiously approach suspicious-looking emails or links

Follow your instincts. Is that email or website looking dodgy? Did you suddenly get an advertisement, asking you to join a promo? Stay on high alert after a data breach to make sure you don’t fall victim to a scam.  

  • Work with a trusted cybersecurity provider…

Such as MacKeeper. We ensure your Mac is protected from viruses and threats 24/7, maintain your online privacy, and make sure your device is optimized for performance.  

Data Breach Summary

Affected companyBritish Council (https://www.britishcouncil.org)
Exposed environmentMicrosoft Azure blob repository
Type of data exposedPersonal and login details of British Council students
Estimated number of records144,000 + files
Publicly indexed byUnknown public search engine
Discovered onDecember 5th, 2021
Reported onDecember 5th, 2021
Issue addressedYes
Use your Mac to the fullest! Sign up and get:
Effective tips on how to fix Mac issues
Reliable advice on how to stay safe online
Mac-world news and updates

Thank you!

You’ll love exploring your Mac with us.

Oops, something went wrong.

Try again or reload a page.

PC

MacKeeper - your all-in-one solution for more space and maximum security.

Try Now

Contents

First time here?Get to know MacKeeper with our special $1 autumn deal!

  • Clean up your Mac's memory

  • Enjoy ultimate security with our antivirus & adware removal

  • Secure your passwords with 24/7 breach monitoring

icon

Great! MacKeeper downloaded.

Now let’s install it on your Mac.

Here’s your download. Just click it to get started!

1. Open

Click above to open the MacKeeper file from your Downloads

first install step

2. Install

Select Continue to begin the installation

second install step

3. Complete

Hit Install to complete the installation

third install step

4. Enjoy

MacKeeper is all set to optimize your Mac

fourth install step