Hacker Alleges CISO’s Hand In Star Health Data Breach

Close on the heels of reports that the personal data of 3 Cr Star Health customers was leaked online, the hacker has now claimed that the insurer’s chief information security officer (CISO) sold him the data. 

In a post on X, the hacker, with the alias ‘xenZen’, claimed that CISO Amarjeet Khanuja later even attempted to renegotiate the deal and demanded more money for continued access to the data on the company’s servers. 

The hacker, on his website, also shared alleged chat logs and emails with Khanuja as evidence.

Meanwhile, in a statement sent to NDTV Profit, the company confirmed the hack and claimed that it has so far not found any evidence of wrongdoing from their CISO following a preliminary investigation into the data breach.

“We request that his (CISO’s) privacy be respected, as we know that the threat actor is trying to create panic. We also want to emphasise that any unauthorised acquisition, possession, or dissemination of customer data is illegal,” the insurer reportedly added.

Star Health also reiterated that its operations remain unaffected by the data breach, adding that all services continue without disruption. 

“A thorough and rigorous forensic investigation, led by independent cybersecurity experts, is underway, and we are working closely with government and regulatory authorities at every stage of this investigation,” Star Health also reportedly added. 

This follows reports that the personal data of over 3 Cr Star Health customers was listed for sale online. The leak included sensitive information such as names, addresses, phone numbers, PAN details, policy nominees, medical history, and more. 

The hacker, with the alias ‘xenZen’, has created a full-fledged website offering the full dataset for $150,000 (about INR 1.26 Cr) and a smaller package of 1 Lakh entries priced at $10,000 (INR 8.4 Lakh). 

The breach reportedly exposed over 7.24 terabytes of sensitive customer data. Additionally, over data, including Aadhaar and PAN card photos, medical reports, and claim details, is said to have been circulated on Telegram and has been made public.

Meanwhile, Telegram said in a statement that the bots reported to Telegram for sharing Star Health data were immediately removed and moderators are monitoring to prevent them from being recreated. The company further added that the sharing of private information on Telegram is expressly forbidden and such content is deleted whenever it is found.

Notably, Telegram claims that the company addressed 2380 legal requests from India in the third quarter (Q3) of this calendar year (2024) alone, up from 2151 requests in Q2 2024.

This comes at a time when cyberattacks are on the rise in the country. In July, one of WazirX’s multisig wallets was attacked, resulting in the loss of digital assets worth over $230 Mn.

In the same month, cybercriminals managed to transfer INR 40 Cr from IndusInd Bank’s customers into various mule accounts. Maharashtra cyber cell officials were able to retrieve INR 33 Cr later. 

Meanwhile, to combat the rising cases of cyberattacks, the Indian government recently created a central registry of suspects. The Centre has also launched a Cyber Fraud Mitigation Centre (CFMC) and the Samanvay platform to tackle cyber crimes.

Update | October 11, 4:55 PM: This article was updated to include Telegram’s statement. 

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.