Star Health data leak 'huge problem': Experts warn after info leak

The data breach of Star Health and Allied Insurance is a “huge problem” if sensitive information of about 31 million customers, reportedly amounting to 7.24 terabytes, is offered for sale, industry experts have warned, saying that the gravity of the issue may be even more severe than it looks.

In what may be one of the biggest online data breaches in India so far, sensitive information of about 31 million customers of India’s largest standalone health insurer was reportedly leaked through chatbots on the messaging platform Telegram.

According to a Reuters report, policy and claims documents containing names, phone numbers, addresses, tax details, copies of ID cards, test results, and medical diagnoses were publicly accessible via chatbots on Telegram.

“If the 7.24-terabyte figure is accurate, it will be massive, almost like the country’s data. If data of 31 million people has been breached, then that’s a huge problem,” said Pankit Desai, founder of Mumbai-based cybersecurity firm Sequretek.

The Chennai-based company did not respond to questions from Business Standard, although an official stated that a detailed statement would be released soon. The company has already alerted customers about the possibility of fraudulent activity by third parties, reports say. Though the hacker claimed that a company official shared the data, cyber experts indicate that this may not be factual.

A hacker named xenZen is reportedly behind the leak. Interestingly, this comes two months after a hacker with the same name claimed to have accessed Airtel India’s customer database, which comprised details of 375 million users in July. The Airtel database included customers' mobile numbers, dates of birth, fathers' names, Aadhaar IDs, email IDs, and more.

“In the insurance sector, you work with many third parties, such as insurtech companies, data management firms, system administration players, and health check companies. Data exchange happens across systems in many forms and formats. A gap in someone else's system can also become your problem,” Desai added, emphasising that the company should immediately reach out to users who may be affected.

Experts also note that since the data is already available on third-party networks, there may be little the company can do now.

“In encrypted channels, there’s nothing anybody can do. Once the data is on a third-party network, it is very difficult to do anything. Companies should understand the extent of the breach. If you have a good system, you can figure out how much data was actually leaked,” Desai said.

A video of a conversation between a company official and xenZen, conducted via email chat and an instant messaging forum, was also made public.

“The reality is that the threat actor faked the email screenshot. The email contents were valid, but the username and password allegedly shared by the CISO (Chief Information Security Officer) were actually part of a credential leak from a public dark web incident. The threat actor then fabricated the story to frame the CISO and their team,” said Rahul Sasi, founder and chairman of cybersecurity firm CloudSEK and member of the RBI panel on digital lending, indicating the seriousness of the data breach.

According to media reports, the hacker created Telegram bots to access data of 31,216,953 customers updated until July 2024, and 5,758,425 claims from the company available until early August.

Reports also indicated that a deal was finalised with the official for $28,000, but later, the official demanded $150,000, claiming that he had to pay a share to senior-level management for the continuation of the data leak, according to the video.

Other major reported data leaks in India include the Air India breach in May 2021, which involved the data of 4.5 million customers; the BigBasket data breach in April 2021, affecting 20 million customers; and the leak at music streaming platform Gaana.com, where 10 million users were affected.

Major data leaks

> Airtel India: A hacker who goes by the alias ‘xenZen’ claimed to have access to details of 375 mn users in July 2024

> Air India: Data of 4.5 mn customers was compromised in May 2021

> BigBasket: In April 2021, a threat actor leaked personal information and hashed passwords of around 20 mn users