KEY POINTS

  • The students' files were found in an unsecured repository
  • A cyber security firm made the discovery
  • The British Council immediately acted after learning about the incident

The British Council, the organization known for promoting intercultural relations and educational opportunities abroad, had 144,000 files containing the personal and login details of students exposed online.

The exposed files were discovered by the cybersecurity software company Clairo and cybersecurity researcher Bob Diachenko in an unsecured Microsoft Azure blob repository of the British Council's data provider in December 2021. The files reportedly contained crucial students' information, including their full name, email address, student ID, enrollment dates, duration of studies and notes.

These personal and login details being available in an unsecured repository could potentially put students and their data at grave risk.

What is the Climate Connection? The UK will host the 26th United Nations Climate Change Conference of the Parties (COP26) in Glasgow, Scotland from 1 to 12 November 2021. To support COP26 ambitions, the British Council is working with partners worldwide to provide a platform for global climate co-operation, dialogue and action. Photo: YouTube Screenshot/British Council Official YouTube Channel

Unfortunately, cybersecurity researchers were unable to determine how long the data, without any authentication in place, was available for the public online. Following the discovery, cybersecurity researchers reached out to the British Council but the organization reportedly failed to respond.

British Council students' files exposed British Council's students' files Photo: Clairo.com

The organization was then contacted through Twitter 48 hours following the cybersecurity firm's discovery. A couple of weeks after the initial contact, the British Council announced the incident and issued a statement.

"The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The Privacy and security of personal information is paramount," it said.

"Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place." the organization added. "We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required."

"Cases like British Council's one show that, unfortunately, no matter how large or prepared a company is, there is still a place for a human mistake or misconfiguration at a partner’s end when we talk about data protection," Diachenko told International Business Times. "In this case, the challenge for British Council now is to overcome and set up a proper incident response action plan and introduce more strict compliance regulations among its contractors still."

For those wondering how to stay protected and prevent their data from being exposed online, Clairo has some useful tips.

"At Clario, we work round the clock to ensure the personal data of our users is kept secure. In case of a data breach, we advise: log in to your account and change your login passwords immediately," the cybersecurity firm shared with IBT through an email.

"This is the easiest way to ensure nobody gains access to your account, especially if you update it as soon as possible after the breach has occurred. Remember that your passwords should be updated every 180 days," the firm explained. "Cautiously approach suspicious-looking emails or links."

"Follow your instincts. Is that email or website looking dodgy? Did you suddenly get an advertisement, asking you to join a promo? Stay on high alert after a data breach to make sure you don’t fall victim to a scam," Clairo said further.

Finally, it advised consumers to always "work with a trusted cybersecurity provider."