Star Health Insurance, a health insurance provider in India, is facing a data breach controversy. A hacker named xenZen claims that a senior executive sold the personal data of over 31 million customers to malicious actors.
Allegations on a hacker website claim that Amarjeet Khanuja, the Chief Information Security Officer (CISO) of Star Health Insurance, sold sensitive data to xenZen. It is further alleged that Khanuja later sought to renegotiate the arrangement, requesting additional payment to provide backdoor access on behalf of senior management.
The website, created by xenZen, displayed the following statement: "Star Health management CISO (Chief Information Security Officer) Amarjeet (as mc6) sold all this data to me and then attempted to change deal terms saying senior management of the company needs more money for backdoor access."
The hacker is now offering to sell the entire dataset for $150,000 or in smaller batches of 100,000 entries for $10,000 each. The breach has exposed sensitive customer information, including full names, mobile numbers, email addresses, dates of birth, residential addresses, pre-existing medical conditions, policy numbers, nominee details, as well as the height and weight of insured individuals.
Moreover, data on over five million insurance claims, including photos, detailed medical reports, and insurance claim information, is now circulating on the Telegram app, and accessible to the public.
In response to an email inquiry from the Economic Times, Star Health Insurance acknowledged the data breach, stating, "We were the victim of a targeted malicious cyberattack, resulting in unauthorized and illegal access to certain data. We make it absolutely clear that our operations remain unaffected, and all services continue without disruption."
Regarding the allegations against their CISO, the company stated, "We also want to categorically mention that our CISO has been duly cooperating in the investigation, and we have not arrived at any finding of wrongdoing by him till date. We request that his privacy be respected as we know that the threat actor is trying to create panic. We also want to emphasize that any unauthorized acquisition, possession, or dissemination of customer data is illegal."
This incident follows increased global attention on the Telegram messaging app after its founder, Pavel Durov, was arrested in France last month. Concerns about the app's potential misuse for illegal activities have been raised, prompting calls for stronger cybersecurity measures and better data protection regulations.
The data breach has revealed sensitive information, increasing the risks of identity theft, fraud, phishing, and extortion. This incident compromises the privacy of millions and undermines trust in Star Health Insurance. To restore public confidence, Star Health Insurance must act swiftly to safeguard customer data, address the issue transparently, and enhance its cybersecurity measures.
A data breach is an incident where sensitive, protected, or confidential data is accessed, disclosed, or stolen by unauthorized individuals. This can include personal information such as names, social security numbers, credit card details, and medical records. Data breaches can occur through various means, such as hacking, malware attacks, insider threats, or inadequate security measures.
Yes, legal action can result from a data breach, as affected individuals or organizations may sue for damages caused by the breach.
Healthcare organizations can reduce the risk of data breaches by implementing strong cybersecurity measures, conducting regular security training for employees, and using encryption to protect sensitive data.
Upon discovering a data breach, a healthcare organization should contain the breach, assess the scope of the impact, notify affected individuals and relevant authorities, and begin an investigation to understand how the breach occurred and how to prevent future incidents.