Personal information belonging to British Council students was exposed online via an unsecured repository.
The British Council is a British organisation specialising in international cultural and educational opportunities. It operates in over 100 countries: promoting a wider knowledge of the United Kingdom and the English language; encouraging cultural, scientific, technological and educational co-operation with the United Kingdom.
In early December 2021, the popular MacKeeper cybersecurity researcher Bob Diachenko discovered an open, unsecured Microsoft Azure blob repository containing over 144,000 files (xml, json and xls/xlsx). The analysis of the file revealed they were containing the personal information and login credentials of British Council students.
“Our team recently found an open and unprotected Microsoft Azure blob repository. This contained 144K+ files with personal and login details of British Council students, potentially putting them and their personal information at risk.” reads the post published by MacKeeper.
Exposed data include names, IDs, usernames and email addresses, enrollment dates, duration of study, and notes.
At this time it is unclear for how long the data remained exposed online without protection.
MacKeeper notified the British Council that secured the repository on December 23.
“The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The Privacy and security of personal information is paramount.” reads the statement issued by the British Council. “Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place. We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.”
The impacted individuals are exposed to a broad range of malicious activities, including identity theft, phishing attacks, and scams. Impacted users are recommended to change their account passwords and remain vigilant to possible phishing messages.
(SecurityAffairs – hacking, data leak)