Star Health and Allied Insurance Co. Ltd., on Wednesday, announced that it had been the target of a malicious cyberattack, leading to unauthorised and illegal access to certain data, according to an official statement.
The company has launched an investigation with the help of independent cybersecurity experts and is collaborating with government and regulatory authorities to address the breach.
Following the announcement, shares of Star Health & Allied Insurance Company dropped 2.5 percent on Thursday, as it was revealed that the attack had compromised the data of over 31 million customers.
Who is behind the leak?
Approximately two weeks after Star Health filed a lawsuit against Telegram and an unidentified hacker over a data breach, a website surfaced on Wednesday, claiming to offer data on over 31 million of the company's customers for sale at $150,000.
“I am leaking all Star Health India customers and insurance claims sensitive data. This leak is sponsored by Star Health and Allied Insurance Company, which sold this data to me directly. You can check the authenticity of the data in the Telegram bots below and read about how they sold it in the section below,” the hacker reportedly mentioned on the website.
The website, set up by a hacker going by the name xenZen, claims to possess data on exactly 31,216,953 customers. It remains unclear if this hacker is the same individual named in the lawsuit. On the website, xenZen alleges that Star Health's Chief Information Security Officer, Amarjeet Khanuja, sold the data but later attempted to alter the terms of their agreement. The hacker also claims to have a screen-recorded video showing chats and emails with the Star Health official.
What has been leaked?
In September, a report by Reuters uncovered that a hacker was exploiting chatbots on an app to leak personal data and medical records of Star Health policyholders.
The breach exposed sensitive information from more than five million insurance claims, including Aadhaar and PAN card images, medical reports, and insurance claim details, all of which have become publicly accessible on Telegram.
Reuters, while testing these chatbots, was able to download policy and claim documents containing names, phone numbers, addresses, tax details, ID card copies, test results, and medical diagnoses.
In their testing, the news agency retrieved over 1,500 files, amounting to 7.24 terabytes of data, with some documents dating as recently as July 2024.
In addition to the $150,000 offer for selling the entire dataset, the hacker also offered smaller bundles of 100,000 records for $10,000 each, with the option to negotiate 'custom packages'.
To establish credibility, the hacker posted over 500 'random data samples' on a website, including several samples containing information on Indian government officials. These samples include email addresses, residential addresses, policy details, and mobile numbers, among other data.
How has Star Health responded?
Star Health and Allied Insurance Co. Ltd., in its statement, confirmed that it fell victim to a "targeted malicious cyberattack, resulting in unauthorized and illegal access to certain data".
The company reported that, following its investigation into the cyber attack that led to a data breach, it has found no evidence of misconduct by its Chief Information Security Officer.
"A thorough and rigorous forensic investigation, led by independent cybersecurity experts, is underway, and we are working closely with government and regulatory authorities at every stage of this investigation," the statement read.
It also confirmed that its operations remain unaffected by the breach, which was disclosed earlier in September, assuring that all services will continue without disruption.
The company urged all platforms, hosting providers, social media channels, and users to take "swift and decisive action to halt such activities" and comply with the High Court's orders. The firm promptly approached the Madras High Court, which instructed all third parties to disable access to the compromised information. The health insurance company stated that it is actively pursuing the matter.
Star Health, a provider of health, personal accident, and overseas travel insurance, operates through a network of more than 14,000 hospitals and over 850 branch offices across India. According to its website, the company has extended health insurance coverage to 170 million individuals.