British Council: data breach leaks 10,000 student records

07 March 2022

A security incident has exposed at least 10,000 records held by the British Council, a public sector organisation that provides English language courses worldwide.

The third-party breach was reported December 5, 2021 by researchers from security software development company Clario when they discovered an open and unprotected Microsoft Azure blob repository.

Clario said blob container was indexed by a public search engine, which researchers claim contained more than 144,000 of xml, json, and xls/xlsx files.

These datasets featured personal data belonging to students from around the world, including full names, email addresses, student IDs, enrolment dates and durations of study.

“It is unknown for how long this data was available online in public, with no authentication in place,” Clario said in a blog post on its Mackeeper website.

Researchers contacted the British Council December 5 – then on December 23 the institution confirmed what it had found.

Clario researchers said that the repository “personal and login details of British Council students, potentially putting them and their personal information at risk”.

They also advised any individual that may have been affected to change their passwords immediately and be on the lookout for suspicious-looking emails or links.

“Follow your instincts. Is that email or website looking dodgy?” the post added. “Did you suddenly get an advertisement, asking you to join a promo? Stay on high alert after a data breach to make sure you don’t fall victim to a scam.”

The British Council, founded by the UK government in 1934, promotes cultural relations and educational opportunities overseas.