Data on 144,000 students from all over the world who had engaged with education programmes run by The British Council was left dangerously exposed by a third-party partner to the public internet in a completely unsecured Microsoft Azure Blob repository, it has emerged.
A non-departmental public body sponsored by the Foreign, Commonwealth and Development Office, The British Council forms a major component of the UK’s so-called “soft power” around the world, engaging with millions of people in more than 100 countries with a core mission of promoting greater knowledge of the English language and the UK.
The container contained multiple xml, json and xls/xlsx files, which had been indexed by a public search engine. It included full names and addresses, student IDs, and information related to their studies.
It was uncovered on 5 December 2021 by analysts at consumer cyber firm Clario – the firm behind the MacKeeper product family – working alongside independent security researcher Bob Diachenko.
Clario’s Ruslana Lishchuk said the firm contacted The British Council as soon as it established the provenance and validity of the data, but alleged that the organisation initially failed to respond. After two days, Clario reached out again via direct messages on Twitter, where it did receive a response. The database was fully secured by 23 December.
“The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulation very seriously. The privacy and security of personal information is paramount,” said a spokesperson for The British Council.
“Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are, and remain, in place.
“We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.”
Neither The British Council nor Clario revealed the identity of the third-party provider, neither did the organisations say for how long the data was exposed, or whether anybody actually accessed or exfiltrated it.
Nevertheless, the impact of the data exposure on the students involved could be significant, with consequences including identity theft, fraud attempts and phishing scams. In some countries, The British Council has come to be regarded as a potential foreign agent – it was thrown out of Russia altogether in 2018, allegedly as part of a tit-for-tat retaliation after the UK took action against Moscow for using illicit chemical weapons on British soil – so involvement with the organisation may, in rare circumstances, pose a political risk to students.
There are also potential consequences for The British Council – which faced criticism last year after it emerged that it had fallen victim to two ransomware attacks since 2016 – including reputational damage, even though the data exposure occurred through the inaction of a third party.
Clario added that it is also quite possible that malicious actors could use the student data in targeted phishing campaigns to target The British Council, seeking to exploit existing vulnerabilities in its IT infrastructure.