Business Standard

Hacker builds website to leak insurer Star Health's data days after lawsuit

While it's unclear if the website was made by the same individual Star Health sued, the hacker claims that a senior Star Health official sold the data and later tried to renegotiate terms

The data breach of Star Health and Allied Insurance is a “huge problem” if sensitive information of about 31 million customers, reportedly amounting to 7.24 terabytes, is offered for sale, industry experts have warned, saying that the gravity of the

The hacker also offered to sell the entire leaked dataset, which is up to July 2024, for $150,000. (Representative Picture)

Nisha Anand New Delhi

Listen to This Article

About two weeks after Star Health sued social media platform Telegram and an unknown hacker for data breach, a website appeared on Wednesday, claiming to have data of over 31 million customers of the company, available for sale at $150,000. 

The website, created by a hacker identified as xenZen, claims to have access to the data of 31,216,953 customers. That includes sensitive information such as PAN details, residential address, and other personal information. 

“I am leaking all Star Health India customers and insurance claims sensitive data. This leak is sponsored by Star Health and Allied Insurance Company, which sold this data to me directly. You can check the authenticity of the data in the Telegram bots below and read about how they sold it in the section below,” the hacker mentioned on the website.

star health data
 
 

It was not immediately clear if the website had been created by the same individual, who was charged in the lawsuit. On the website, the hacker alleged that Star Health’s Chief Information Security Officer, Amarjeet, sold all the data and later tried to change the terms of their deal. The hacker claims to have a screencap video showing chats and emails with the named Star Health official.

The hacker also offered to sell the entire leaked dataset, which is up to July 2024, for $150,000. Additionally, smaller packages of 100,000 entries were available for $10,000 each and the hacker said that ‘custom packages’ could be negotiated.

To prove their credibility, the hacker has given over 500 ‘random data samples’ on the website, including dozens of samples of Indian government officials. These data samples contain information such as email addresses, residential addresses, policy details, and mobile numbers among others.

Business Standard could not independently verify the credibility of data.

On September 26, Star Health filed a lawsuit against Telegram and a ‘hacker’ after it was discovered that the hacker was using the messaging application to leak company data. It was reported that the hacker was identified as ‘xenZen’- the same name seen on the website.

Statement from Star Health Insurance

Star Health Insurance has confirmed that it was the target of a malicious cyberattack, which led to unauthorised and illegal access to certain data. The company has emphasised that its operations remain unaffected, with all services continuing without disruption.

“We acknowledge that we were the victim of a targeted malicious cyberattack, resulting in unauthorised and illegal access to certain data. We make it absolutely clear that our operations remain unaffected, and all services continue without disruption. A thorough and rigorous forensic investigation, led by independent cybersecurity experts is underway, and we are working closely with government and regulatory authorities at every stage of this investigation, including by duly reporting the incident to the insurance and cybersecurity regulatory authorities apart from filing a criminal complaint. We also timely approached the Madras High Court which in the attached order has directed all including certain third parties to disable access to the relevant information. We are diligently pursuing the implementation of this order," the company said in a statement.

The company has stated that its Chief Information Security Officer (CISO) has been fully cooperating with the investigation, and to date, no findings of wrongdoing have been made against him. Star Health has requested that his privacy be respected, noting that the threat actor appears to be attempting to incite panic.

"We have robust security measures in place and Star Health assures its customers and partners that their privacy and data security are paramount to us, and we are unwavering in our commitment to ensure their continued trust and confidence. All our rights under the law and contracts, are fully reserved," the company stated.



 

Don't miss the most important news and views of the day. Get them on our Telegram channel

First Published: Oct 09 2024 | 5:42 PM IST

Explore News