fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

British Council Exposed More than 100,000 Files with Student Records

British Council Exposed More than 100,000 Files with Student Records

More than 100,000 files with student records belonging to British Council were found exposed online.

An unsecured Microsoft Azure blob discovered on the internet by a cybersecurity firm revealed student names, IDs, usernames and email addresses, and other personal information.

British Council promotes the study of British culture and the English language around the world and is known for administering the IELTS standardized language exam.

Unsecured Azure blob spills Excel, XML, JSON files

British Council, the global organization for promoting British culture, the English language, and education opportunities, was leaking over 144,000 files containing student records.

Cyber security firm Clario, along with security researcher Bob Diachenko discovered the leak in December 2021 and immediately reported their findings to British Council.

Spread across more than 100 countries, British Council has previously been dubbed the ‘soft power‘ arm of the UK foreign policy. Although partially funded by the UK Government via a grant, the independently operated non-profit generates the vast majority of its revenue from activities like teaching, exams, tendered contracts, and partnerships.

The organization also administers the International English Language Testing System (IELTS) exam, the most recognized standardized English language test around the world, alongside TOEFL.

According to the researchers, an unprotected Azure blob container was indexed by a public search engine and contained thousands of Excel spreadsheets and XML/JSON files, viewable by anyone.

These files had the personal information of hundreds of thousands of British Council English course learners and students from around the world.

Also Read: 4 Easy Steps To Create Privacy Management Plan For Business

Exposed student records
Exposed student records in one of the spreadsheets discovered in the exposed Azure blob (Clario)

The exposed information included:

  • Full name
  • Email address
  • Student ID
  • Student status
  • Enrollment dates
  • Duration of study
  • Notes

It isn’t known for how long was this data available online to the public, with no authentication in place, state the researchers.

Another example of an XML file with personal information is shown below: 

XML files exposing student records
XML files exposing student records

British Council: 10,000 records held by third-party provider

Diachenko and Clario discovered the data leak on December 5th, 2021, and promptly notified British Council.

One of the main concerns the researchers had at the time was the risk from phishing actors and identity thieves—should they get their hands on this information.

After not hearing back for 48 hours from British Council, the researchers reattempted contact; this time via Twitter, which is where subsequent communication between the two parties took place.

Also Read: What Is Governance Structure: Fundamentals for Gov’t Success

“On December 23rd, 2021 (two weeks after the initial contact), confirmation around the security of the repository was announced,” state the researchers.

BleepingComputer also reached out to British Council to independently confirm the information and we were provided with the following statement:

“The data in question was held and processed by a third party service provider. Approximately 10,000 records were accessible in a way that should not have occurred.  On becoming aware of this, our third party service provider immediately secured the records with appropriate controls and the data in question was rendered no longer accessible. We are working with the supplier to ensure similar incidents do not happen in the future.

We have reported the incident in accordance with our regulatory obligations and we remain in contact with the Information Commissioner’s Office should any further action be required.

The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount,” a British Council spokesperson told BleepingComputer.

As noted, although the researchers discovered over 144,000 files, according to British Council, just about 10,000 student records were affected.

The disclosure of this data leak follows a last month’s report stating British Council had been a victim of “two successful ransomware attacks over the past five years,” in addition to six unsuccessful attempts by ransomware ops.

As a result of these attacks, British Council had reportedly experienced 12 days of downtime in total—five days in the first case, and seven in the second. However, the organization didn’t pay a ransom either time.

Given the prominent place held by the British Council in promoting UK culture abroad, and its role in co-managing the IELTS exam, it isn’t hard to see why threat actors would be lured to target the institution.

Clario recommends British Council students and test-takers to keep an eye out for any suspicious phishing emails they may receive, and to change their login passwords immediately as an extra precaution.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us