India’s leading health insurer, Star Health Insurance is currently embroiled in a significant scandal involving an alleged massive data breach. Reports suggest that sensitive personal and insurance information belonging to millions of customers has been compromised. This has raised alarm bells about data security and privacy within the insurance sector and also underscored the need for stringent Personal Data Protection Rules.
A hacker identified as xenZen has made shocking revelations. According to the hacker’s claims, approximately 7.24TB of data related to over 31 million customers has been unlawfully accessed and is now reportedly available for sale online.
The hacker is allegedly seeking a hefty price of $150,000 for a large amount of customer data. The smaller subsets containing 100,000 customer records are being offered for $10,000 each. This alarming incident has ignited widespread concerns over the protection of personal data and the security protocols implemented by companies in India.
The hacker, xenZen, says that the stolen data includes highly sensitive information. This purportedly includes names of customers, their Permanent Account Numbers (PAN), mobile numbers, email addresses, birthdates, residential addresses, and policy numbers. Further troubling thing is that the data allegedly includes details regarding pre-existing medical conditions, health card numbers, and other confidential medical records. There are concerns that if such information is misused it could lead to severe consequences for individuals whose data has been compromised.
Interestingly, the hacker has made shocking accusations against Amarjeet Khanuja, the Chief Information Security Officer (CISO) of Star Health in this data breach case. The hacker claims that Khanuja actively facilitated the data leak by allegedly selling sensitive customer information directly to them.
As per reports, Khanuja allegedly sold the sensitive data of around 31 million Indian customers including their salary details and PAN card information for $43,000.
Chronology of data breach and allegations against Star Health insider
It is said that on 6th July 2024, Khanuja contacted the hacker xenZen through the encrypted chat application Tox which was facilitated by a middleman known as denol.
Following their initial discussions, they allegedly reached an agreement for a payment of $28,000 in Monero, a type of cryptocurrency, in exchange for customer data.
It is further reported that Khanuja provided login credentials and API details via ProtonMail, allowing the hacker to access the data. After the payment was made, the hacker reportedly received the customer data.
On 20th July, Khanuja allegedly offered additional data for an extra $15,000, repeating the earlier process for this transaction.
However, the hacker’s access was revoked five days later. In response, Khanuja purportedly demanded $150,000 as he claimed that senior management of Star Health wanted a share of the profits.
When the hacker refused to meet Khanuja’s demands, they listed the stolen data for sale online.
By 25th September, a website named *starhealthleak* was reportedly launched. It offered customer and claims data through Telegram bots and made the data accessible to potential buyers.
Star Health refute claims of any wrongdoing in data breach
Star Health has vehemently refuted claims of any wrongdoing. It has denied involvement in the data breach and dubbed the incident as a “targeted malicious attack.”
A spokesperson for Star Health assured the public that their operations remain fully functional. The spokesperson emphasized that customer services have not been affected by the breach.
In an official statement, it stated, “We wish to clarify that our operations are fully functional, and services to customers remain unaffected. A thorough investigation is being led by our cybersecurity team, and we continue to work in conjunction with authorities to ensure that customer data remains protected.”
Star Health has confirmed that it has initiated an extensive forensic investigation into the matter. They are taking the help of independent cybersecurity specialists to thoroughly analyze the breach and identify its sources. It is also collaborating closely with government and regulatory agencies, including authorities responsible for insurance and cybersecurity, to tackle the situation effectively.
Moreover, Star Health has also filed a criminal complaint and a lawsuit against the hacker and the messaging platform Telegram, where portions of the stolen data were reportedly first shared.