Unsecured student details discovered at British Council’s data provider

February 2, 2022

MacKeeper has collaborated with independent cybersecurity researcher Bob Diachenko to unveil and responsibly report the incident described in their data breach report.

The British Council is one of the world’s leading champions of education and empowering young people to learn English and transform their lives through learning and qualifications.

However, it has been found that there is an open and unprotected Microsoft Azure blob repository. This contained 144K+ files with personal and login details of British Council students, potentially putting them and their personal information at risk. It is unknown for how long this data was available online in public, with no authentication in place.

As soon as the sensitivity of the data and the owner of the repository was confirmed, the British Council was contacted but failed to respond. After 48 hours, the organisation was contacted via Twitter and since then communication has been through direct messages on the platform. 

On December 23rd 2021 (two weeks after the initial contact), confirmation around the security of the repository was announced. The British Council also provided the following statement: 

“The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The Privacy and security of personal information is paramount.

“Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured and we continue to look into the incident in order to ensure that all necessary measures are and remain in place. 

“We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.”

While many British Council students are looking to expand their knowledge by studying with the organisation, the exposure of their sensitive information could have put them at risk from a variety of different scams. 

Identity theft or fraud 

If scammers have access to personal details such as name, contact details and in this case, student status, then students could have become victims of identity fraud. Examples in this case could include stealing qualifications or buying products in the name of students. 


Phishing is a form of cyber-crime committed by cyber-criminals if they can access personal details. The more personal information they have, the more convincing their scams can trick users into giving up sensitive information. In this case, email address, student name and other details could have been used to trick them into handing over more details or money. 

Impact on British Council

There are challenges for the British Council if this data breach becomes common knowledge. It also follows a history of issues surrounding cybersecurity. A recent report revealed how the organisation has been a victim of two successful ransomware attacks over the past five years, official figures have shown.

The data, obtained from a freedom of information (FoI) request revealed that the British Council suffered a total of 12 days of downtime due to the incidents; five days in the first and seven in the second.

Loss of reputation

Loss of reputation is a concern for the British Council. Although they were not responsible for the data breach, errors made by the data provider they decided to work with have exposed these student details. This suggests that they need to be more rigorous in terms of how they select and work with third parties. If it did become a news story, then it would be linked to previous data breaches to emphasise the council’s poor track record with cybersecurity.  

At risk of hackers

With this information exposed, hackers could also use this data to target the British Council and exploit vulnerabilities in their IT infrastructure for their own malicious ends. For example, hackers could open bank accounts, take out loans or make expensive financial purchases in your name. They could use this information to access your online accounts such as with different stores or financial service providers. 

In case of a data breach, it is advised that: 

Log in and change passwords immediately

This is the easiest way to ensure nobody gains access to your account, especially if you update it as soon as possible after the breach has occurred. Remember that your passwords should be updated every 180 days. 

Cautiously approach suspicious-looking emails or links

Follow your instincts. Is that email or website looking dodgy? Did you suddenly get an advertisement, asking you to join a promo? Stay on high alert after a data breach to make sure you don’t fall victim to a scam. 

Work with a trusted cybersecurity provider

Like Mackeeper. Your device can be protcted and digital identity from viruses, unsecured Wi-Fi, ID theft, or hacking – all in real time.

For more information, visit: mackeeper.com

Read Next

Security Journal UK

Subscribe Now

£99.99 for each year
No payment items has been selected yet