Cloud Security, Patch/Configuration Management, Asset Management

Personal data on British Council students exposed on open Microsoft Azure blob

The British Council building is seen in London. (via Wikimedia Commons)

Researchers on Tuesday reported they found an open and unprotected Microsoft Azure blob repository that contained more than 144,000 files with the personal information and log-in details of British Council students.

The British Council operates in more than 100 countries with a mission of promoting greater knowledge of the United Kingdom and the English language.

In a blog post, researchers from MacKeeper and noted cybersecurity researcher Bob Diachenko said the students were potentially open to identity theft and phishing attacks.

The exposed blob container included XML, JSON and XLS/XLSX files on hundreds of thousands of British Council English course learners worldwide. The container includes the following information on the students: full name, email address, student identification, notes, student status, enrollment date, and duration of study.

According to the researchers, it’s still unclear how long the data was exposed online with no authentication in place. The data leak was discovered and reported Dec. 5. It wasn’t until Dec. 23 (two weeks after the initial contact) that the British Council released this statement:

“The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The Privacy and security of personal information is paramount.

"Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.

"We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.”

The scenario being played out with the British Council is very similar to the dreaded AWS open S3 buckets that have been discussed at length, said John Morgan, CEO at Confluera.  

“Some of the benefits afforded by cloud services and why it's so attractive to organizations, are also leveraged by attackers to gain easy access to sensitive data, Morgan said. “Not only should organizations enforce sound practices that include configuration posture management, but also take on a zero-trust philosophy and employ tools to detect if any cloud attacks are in-progress, assuming attackers will get in.”

When organizations let their developers use cloud data storage, they are effectively enabling the creation of applications that bypass many of the on-premisis security controls that were developed over the last two decades to limit the risks of these types of data loss risks, said Aaron Turner, vice president of SaaS posture at Vectra.

“If we go back to the Microsoft Power Apps data leak in August of 2021, and the AWS data loss events over the last several years, we as security experts need to do a better job of training developers to build data protection capabilities into their initial cloud application designs,” Turner said. “In an ideal world, there would be firm governance tools in place to hold developers accountable to data protection designs and controls frameworks. But, these application development projects are often moving at such speed, security teams don't get involved until after the fact.”

Davis McCarthy, principal security researcher at Valtix, said data breaches in the cloud are caused by technical debt and lack of visibility. McCarthy said intimate knowledge of a person’s life makes a scam more believable.

“A well-crafted phishing email may use data from multiple breaches, further lowering the target’s defenses,” McCarthy said. “Threat actors know the value of data and are taking advantage of the rapid enterprise migration to the cloud. Educating end-users about cloud services and their security best practices will curb needless data exposure. If network defenders cannot control user resources or identify misconfigured assets, they certainly cannot harden against the risks they pose.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.