Explained: Star Health hit by massive breach affecting 31 mn; CISO at center of investigation

Leading insurer Star Health Insurance has admitted a massive data breach that has exposed the sensitive information worth 7.24 petabytes. The information was exposed through Telegram bots, making data such as names, mobile numbers, email IDs, date of birth, addresses, medical conditions, policy numbers, among others publicly available. 

The Chennai-headquartered insurer provides health insurance to more than 170 million Indian and has about 14,000 hospitals in its network. This breach has exposed person information of about 31 million customers. Sensitive information of insured individuals, over five million insurance claims, Aadhaar card and PAN card photos, detailed medical reports, and insurance claim information are now circulating on Telegram and accessible to the public. The hackers allegedly used Telegram chatbots to share personal with potential buyers.

CISO in the eye of storm

Reuters had first reported about the breach in September. At the time, the company said that there has not been any widespread compromise and that the sensitive customer data is secure. In the latest update, the $1.4 billion revenue firm has acknowledged the ‘targeted malicious cyberattack’ that resulted in unauthorised and illegal access to certain data. 

In a statement on October 9, Star Health said, “A thorough and rigorous forensic investigation, led by independent cybersecurity experts, is underway, and we are working closely with government and regulatory authorities at every stage of this investigation, including by duly reporting the incident to the insurance and cybersecurity regulatory authorities apart from filing a criminal complaint.”

Notably, a self-styled hacker with an alias xenZen publicly has claimed that the chief information security officer (CISO) Amarjeet Khurana sold the entire website data to him. The hacker said that Khurana later tried to renegotiate the deal asking for more money to obtain for backdoor access on behalf of senior management.

In view of the accusation, the insurer said in the statement that it is investigating the CISO’s role in the hack. “We also want to categorically mention that our CISO has been duly co-operating in the investigation and we have not arrived at any finding of wrongdoing by him till date,” the company said in a statement.

Telegram finds itself in hot waters

In the last week of September, Star Health filed a lawsuit against Telegram and a self-proclaimed hacker for reportedly using chatbots on the messaging platform to leak personal data and medical reports of policyholders. 

This legal action occurred amid increasing global scrutiny of Telegram, particularly after the arrest of its founder, Pavel Durov, in France last month, with allegations that the app's content moderation and features have been misused for illegal activities. Both Durov and Telegram have denied any wrongdoing and are working to address the criticisms.