Founded in London in 1951, the British Council is a British organization that promotes worldwide cultural and educational opportunities. It works in over 100 countries encouraging cultural, scientific, technological, and educational cooperation with the United Kingdom and promoting a greater understanding of the United Kingdom and the English language.

What Happened?

A cybersecurity company uncovered an unprotected Microsoft Azure blob on the internet that included student names, IDs, usernames, and email addresses, among other sensitive information.

Clario, a cyber security company, and security researcher Bob Diachenko found the breach in December 2021 and promptly notified the British Council of their findings.

According to the researchers, a public search engine indexed an unsecured Azure blob container that held hundreds of Excel spreadsheets and XML/JSON files that were readable by everyone.

These files included the personal information of hundreds of thousands of learners and students of British Council English courses from throughout the globe.

The following information was disclosed: full name, email address, student ID, student status, enrollment dates, and study duration.

The researchers emphasize that the length of time that this content was available to the public online without authentication is unclear. On December 5th, 2021, Diachenko and Clario detected the data breach and immediately contacted the British Council.

On December 23rd British Council provided a statement regarding the incident.

The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The Privacy and security of personal information is paramount.

Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.  

We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.


The journalists at BleepingComputer reached out to British Council to independently confirm the information and were provided with a statement:

The data in question was held and processed by a third party service provider. Approximately 10,000 records were accessible in a way that should not have occurred.  On becoming aware of this, our third party service provider immediately secured the records with appropriate controls and the data in question was rendered no longer accessible. We are working with the supplier to ensure similar incidents do not happen in the future.

We have reported the incident in accordance with our regulatory obligations and we remain in contact with the Information Commissioner’s Office should any further action be required.

The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount


If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.