British Council data breach leaks 10,000 student records | The Daily Swig

British Council data breach leaks 10,000 student records
Jessica Haworth 02 February 2022 at 12:44 UTC
Updated: 03 February 2022 at 08:26 UTC
Data Breach UK Education
Researchers say 144,000 files were exposed

A third-party data breach has exposed at least 10,000 records held by the British Council

A third-party data breach has exposed at least 10,000 records held by the British Council, a public sector organization that provides English language courses worldwide.

The security incident was reported on December 5, 2021 by researchers from Clario when they discovered an open and unprotected Microsoft Azure blob repository.

A blob container was indexed by a public search engine, said Clario, which they claim contained more than 144,000 of xml, json, and xls/xlsx files.


Read more of the latest data breach news


These datasets featured personal data belonging to students from around the world, including full names, email addresses, student IDs, enrollment dates, and durations of study.

“It is unknown for how long this data was available online in public, with no authentication in place,” Clario said in a blog post on its Mackeeper website.

At risk
Researchers contacted the British Council on December 5, and then on December 23 the institution confirmed what they had found.

Clario researchers said that the repository “personal and login details of British Council students, potentially putting them and their personal information at risk”.

In an email to The Daily Swig, a spokesperson for the British Council said that 10,000 records were “accessible in a way that should not have occurred”.



YOU MAY LIKE Red Cross suffers cyber-attack – data of 515,000 ‘highly vulnerable’ people exposed



The spokesperson said: “The data in question was held and processed by a third-party service provider. Approximately 10,000 records were accessible in a way that should not have occurred.

“On becoming aware of this, our third-party service provider immediately secured the records with appropriate controls and the data in question was rendered no longer accessible.

“We are working with the supplier to ensure similar incidents do not happen in the future.

“We have reported the incident in accordance with our regulatory obligations and we remain in contact with the Information Commissioner’s Office should any further action be required.

“The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount.”

The Daily Swig has reached out to the British Council to clarify whether the 10,000 records contained 144,000 files, or if it disputes Clario’s findings.

Next steps
The British Council, which was founded by the UK government in 1934, promotes cultural relations and educational opportunities overseas.

Clario advised any individual that may have been affected to change their passwords immediately and be on the lookout for suspicious-looking emails or links.

The blog post added: “Follow your instincts. Is that email or website looking dodgy? Did you suddenly get an advertisement, asking you to join a promo? Stay on high alert after a data breach to make sure you don’t fall victim to a scam.”