Report: Unsecured Student Details Discovered at British Council’s Data Provider

MacKeeper has collaborated with independent cybersecurity researcher Bob Diachenko to unveil and responsibly report the incident described in this data breach report.

The British Council's Data Provider Exposed Students Details

The British Council is one of the world’s leading champions of education and empowering young people to learn English and transform their lives through learning and qualifications. But it seems the organization and its data provider could learn some lessons of its own when it comes to cybersecurity and protecting its data.  

Our team recently found an open and unprotected Microsoft Azure blob repository. This contained 144K+ files with personal and login details of British Council students, potentially putting them and their personal information at risk.  

Company Profile  

The British Council is a British organization specializing in offering international cultural and educational opportunities.  

The organization operates in more than 100 different countries across the world with its mission to promote greater knowledge of the UK and the English language.  

In 2019-20, the council connected with 80 million people directly and with 791 million overall, including online and through broadcasts and publications.

Data Exposure Summary

A blob container was indexed by a public search engine and contained 144K+ of xml, json and xls/xlsx files.  

These were structured to include various pieces of information about hundreds of thousands of British Council English course learners' and students' details across the globe. This information included:  

• Full name
• Email address
• StudentID
• Notes
• Student status
• Enrollment dates
• Duration of study

It is unknown for how long this data was available online in public, with no authentication in place.

As soon as the sensitivity of the data and the owner of the repository were confirmed, the British Council was contacted but failed to respond. After 48 hours, the organization was contacted via Twitter and since then communication has been through direct messages on the platform.

On December 23rd, 2021 (two weeks after the initial contact), confirmation of the security of the repository was announced. The British Council also provided the following statement.  
 

The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The Privacy and security of personal information is paramount.

 

Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.  

 

We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.

* * *

Data breach impact  

While many British Council students are looking to expand their knowledge by studying with the organization, the exposure of their sensitive information could have put them at risk from a variety of different scams.  

User impact  

Identity theft or fraud  

If scammers have access to personal details such as name, contact details and, in this case, student status, then students could have become victims of identity fraud. Examples in this case could include stealing qualifications or buying products in the name of students.  

Phishing  

Phishing is a form of cybercrime committed by cybercriminals if they can access personal details. The more personal information they have, the more convincing their scams can trick users into giving up sensitive information. In this case, email address, student name and other details could have been used to trick them into handing over more details or money.  

Impact on British Council

There are challenges for the British Council if this data breach becomes common knowledge. It also follows a history of issues surrounding cybersecurity. A recent report revealed how the organization has been a victim of two successful ransomware attacks over the past five years, official figures have shown.

The data, obtained from a freedom of information (FoI) request revealed that the British Council suffered a total of 12 days of downtime due to the incidents; five days in the first and seven in the second.

Loss of reputation

Loss of reputation is a concern for the British Council. Although they were not responsible for the data breach, errors made by the data provider they decided to work with have exposed these student details. This suggests that they need to be more rigorous in terms of how they select and work with third parties. If it did become a news story, then it would be linked to previous data breaches to emphasize the council’s poor track record with cybersecurity.    

At risk of hackers

With this information exposed, hackers could also use this data to target the British Council and exploit vulnerabilities in their IT infrastructure for their own malicious ends. For example, hackers could open bank accounts, take out loans or make expensive financial purchases in your name. They could use this information to access your online accounts such as with different stores or financial service providers.  

How to stay safe from data breaches

At MacKeeper, we work round the clock to ensure the personal data of our users is kept secure. In case of a data breach, we advise:  

• Log in to your account and change your login passwords immediately

This is the easiest way to ensure nobody gains access to your account, especially if you update it as soon as possible after the breach has occurred. Remember that your passwords should be updated every 180 days.  

• Cautiously approach suspicious-looking emails or links

Follow your instincts. Is that email or website looking dodgy? Did you suddenly get an advertisement, asking you to join a promo? Stay on high alert after a data breach to make sure you don’t fall victim to a scam.  

• Work with a trusted cybersecurity provider…

Such as MacKeeper. We ensure your Mac is protected from viruses and threats 24/7, maintain your online privacy, and make sure your device is optimized for performance.  

Data Breach Summary