The hacker, "xenZen," alleges that Star Health’s chief information security officer sold him the data but later sought more money for continued access to the servers
So far, no evidence of wrongdoing has been found against CISO following a preliminary investigation into the data breach, said Star Health
Personal data of over 3 Cr Star Health customers has been leaked online, with the full dataset available for sale at $150,000 (INR 1.26 Cr)
Close on the heels of reports that the personal data of 3 Cr Star Health customers was leaked online, the hacker has now claimed that the insurer’s chief information security officer (CISO) sold him the data.
In a post on X, the hacker, with the alias ‘xenZen’, claimed that CISO Amarjeet Khanuja later even attempted to renegotiate the deal and demanded more money for continued access to the data on the company’s servers.
The hacker, on his website, also shared alleged chat logs and emails with Khanuja as evidence.
Meanwhile, in a statement sent to NDTV Profit, the company confirmed the hack and claimed that it has so far not found any evidence of wrongdoing from their CISO following a preliminary investigation into the data breach.
“We request that his (CISO’s) privacy be respected, as we know that the threat actor is trying to create panic. We also want to emphasise that any unauthorised acquisition, possession, or dissemination of customer data is illegal,” the insurer reportedly added.
Star Health also reiterated that its operations remain unaffected by the data breach, adding that all services continue without disruption.
“A thorough and rigorous forensic investigation, led by independent cybersecurity experts, is underway, and we are working closely with government and regulatory authorities at every stage of this investigation,” Star Health also reportedly added.
This follows reports that the personal data of over 3 Cr Star Health customers was listed for sale online. The leak included sensitive information such as names, addresses, phone numbers, PAN details, policy nominees, medical history, and more.
The hacker, with the alias ‘xenZen’, has created a full-fledged website offering the full dataset for $150,000 (about INR 1.26 Cr) and a smaller package of 1 Lakh entries priced at $10,000 (INR 8.4 Lakh).
The breach reportedly exposed over 7.24 terabytes of sensitive customer data. Additionally, over data, including Aadhaar and PAN card photos, medical reports, and claim details, is said to have been circulated on Telegram and has been made public.
Notably, this comes at a time when cyberattacks are on the rise in the country. In July, one of WazirX’s multisig wallets was attacked, resulting in the loss of digital assets worth over $230 Mn.
In the same month, cybercriminals managed to transfer INR 40 Cr from IndusInd Bank’s customers into various mule accounts. Maharashtra cyber cell officials were able to retrieve INR 33 Cr later.
Meanwhile, to combat the rising cases of cyberattacks, the Indian government recently created a central registry of suspects. The Centre has also launched a Cyber Fraud Mitigation Centre (CFMC) and the Samanvay platform to tackle cyber crimes.
