British Council Exposed More Than 100000 Files with Student Records
Reading Time: 2 minutes

More than 100000 files with student records belonging to the British Council were exposed online. British Council endorses study of British culture and the English language world over and administers the IELTS standardized language exam.

According to  Clario, a cybersecurity firm discovered an unsecured Microsoft Azure blob that revealed more than 100000 files with student records containing student names, IDs, usernames and email addresses, and other personal information.

The leak was discovered by Bob Diachenko from Clario in December 2021 and reported his findings immediately to the British Council. 

The organization is partially funded by the UK Government via a grant. The independently operated non-profit generates a large amount of its revenue from activities such as teaching, exams, tendered contracts, and partnerships.

The British Council conducts the International English Language Testing System (IELTS) exam. A recognized standardized English language test around the world, alongside TOEFL.

Diachenko discovered the unprotected Azure blob container that was indexed by a public search engine. It contained thousands of Excel spreadsheets and XML/JSON files, viewable by anyone.British Council Exposed More Than 100000 Files with Student Records_1_TechnoidHost_2Data of hundreds of thousands of British Council English course learners and students from around the world compromised exposed information which included Full name, Email address, Student ID, Student status, Enrollment dates, Duration of study, Notes.

It is unclear though how the data was available online to the public without any authentication. The XML file with personal information is shown below:British Council Exposed More Than 100000 Files with Student Records_1_TechnoidHost_1The British council in a statement said – 

The data in question was held and processed by a third-party service provider. Approximately 10,000 records were accessible in a way that should not have occurred.  On becoming aware of this, our third-party service provider immediately secured the records with appropriate controls and the data in question was rendered no longer accessible. We are working with the supplier to ensure similar incidents do not happen in the future.

We have reported the incident in accordance with our regulatory obligations and we remain in contact with the Information Commissioner’s Office should any further action be required.

The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount.” 

Clario has advised all British Council students and test-takers to keep an eye on any suspicious phishing emails they may receive. Also, it would be a good idea to change their login passwords immediately as a precautionary measure.

Related Articles:
Oiltanking GmbH and Mabanaft Gmbh – German Petrol Supply Firms Paralyzed By Cyber Attack
Iranian Hackers Use New A PowerShell Backdoor in Cyber Espionage Attacks
Russian ‘Gamaredon’ Hackers Use 8 New malware payloads in attacks