Beware! If your personal information like Aadhaar, PAN card number, passwords, or mobile number gets leaked, it could be used for fraud. "Fraudsters can use this data to commit identity theft, extort money, or carry out phishing attacks, Gangesh Varma, Principal Associate at Saraf and Partners cautioned.
On September 20, millions of customers' personal data, including details of their medical conditions, linked to Star Health Insurance was leaked online. UK-based researcher Jason Parker was the first to report the breach, revealing that a hacker named xenZen had allegedly obtained the data.
What happened with Star Health Insurance?
According to the hacker, the Chief Information Security Officer (CISO) of Star Health Insurance initially sold the information for $28,000 but later demanded $150,000. The hacker claimed the CISO cited the need to share proceeds with senior management. After the deal fell through, the hacker released all the sensitive customer data online.
The leaked Star Health Insurance data was being distributed through two Telegram bots—one sharing claim documents in PDF format, and the other providing detailed customer information.
Responding to the incident, Telegram stated, "The bots reported to the instant messaging app for sharing Star Health data were immediately removed, and moderators are monitoring to prevent them from being recreated."
More From This Section
"The sharing of private information on Telegram is expressly forbidden, and such content is deleted whenever it is found," the platform clarified in its official statement.
Star Health Insurance has launched an investigation into the breach. "We have started a comprehensive forensic investigation with independent cybersecurity experts and are working with government and regulatory authorities," the company stated.
The insurer also approached the Madras High Court, which directed all involved parties to disable access to the leaked information. "We are diligently pursuing the implementation of this order," Star Health Insurance said.
Other recent data breaches in India
The Star Health Insurance breach is just one in a series of recent data breaches affecting millions of people in India.
In July, the personal data of around 7.9 million customers from Mumbai-based stockbroking firm Angel One was exposed on a hackers' forum. The breach, which had occurred the previous year, resulted in the release of sensitive information including names, addresses, contact numbers, and bank account details.
Earlier, in April, data belonging to 7.5 million customers of boAt, the consumer electronics brand, was reported to have been leaked and listed for sale on the dark web, according to Forbes India.
In January, a massive security breach was uncovered by cybersecurity firm CloudSEK, revealing personal information of about 750 million individuals in India. This breach exposed crucial details like names, mobile numbers, addresses, and Aadhaar information. The 1.8 terabytes of data were reportedly being sold by threat actors known as CyboDevil and UNIT8200.
Consequences of a data breach
Data breaches like this can lead to identity theft, financial fraud, and scams. Saurabh Gupta, Founder and CEO of VeriSmart AI, an AI-driven data privacy solutions firm, explained, "Hackers use various methods, such as social engineering, malware, and phishing, to access personal data for malicious purposes."
Businesses also face reputational damage and legal liabilities. "Companies may face penalties depending on the applicable laws and suffer from a tarnished reputation, making recovery difficult," Varma said.
How severe are the risks?
Gupta noted, "The impact of data theft depends on the sensitivity of the information. Consequences can range from financial loss and public embarrassment to life-threatening situations." Varma added that the fallout might not be immediately visible, leading people to underestimate the damage.
What steps can you take to protect yourself?
To minimise the impact of such breaches, experts advise taking immediate action:
— Change passwords linked to the leaked data.
— Enable two-factor or multi-factor authentication.
— Regularly update software and apps with the latest security patches.
— Stay alert to suspicious online activities and report incidents to authorities.
"Understanding data privacy and taking proactive steps to protect your online identity is very important these days," Varma said.
How businesses can respond to data breaches
Companies must have an incident response plan in place. They should also report breaches to authorities and inform affected individuals as per legal requirements. Preventive measures are just as critical to protect people's data.
"The IT Act, 2000 provides for compensation to victims under sensitive personal data rules, but this will soon be replaced by the Digital Personal Data Protection Act," Varma explained. He added that the new law focuses on rights for individuals and strict penalties for businesses but does not offer compensation for affected individuals.
Our online lives matter
"Our online lives are as important as our physical lives, if not more, due to the speed and reach of information," Gupta said. He urged everyone to take more precautions to protect their online identity in today’s digital age.