Data of 31 million Star Health Insurance customers allegedly sold by company's CISO: All you need to know about it

In a massive cybersecurity breach and hacking of personal and insurance-related data of over 31 million customers of Star Health Insurance, a Chinese hacker going by the name of "xenZen" is selling about 7.24 TB worth of this sensitive data for as much as $1,50,000. Even partial data sets of 1,00,000 entries are also available for sale at $10,000

The leaked data includes details such as names, PAN numbers, mobile numbers, date of birth, email IDs, residential addresses, and certain policy specific information as well, like health card details, policy number, pre-existing conditions and more. Per media reports, the hacker has created Telegram bots to access data of 31,216,953 customers updated till July 2024 and 5,758,425 claims of Star Health, available till early August.

The hacker also accused the company's CISO (Chief Information Security Officer) Amarjeet Khanuja of selling this data for as much as $43,000. Here's how the entire chain of events allegedly unfolded, per the X account of Debarghya Das (deedydas), who has served as a founding team member in Google Search, and who, along with UK-based researcher Jason Parker, was one of the first to break information of this incident on the internet, alongside video proof:

1. Khanuja reached out to the hacker on July 6th, 2024, via an encrypted chat app called Tox.
2. They settled on $28,000 for selling customer data, which would be paid via Monero, a cryptocurrency.
3. Khanuja sends hackers all requisite details like login credentials and API endpoints on proton mail, a secure, encrypted email facility, and received payment from the hacker.
4. On July 20th, Khanuja pitches for selling claims related data as well. This deal is settled at $15,000.
5. The hacker's access is reportedly revoked 5 days later, when Khanuja demands for $1,50,000 for the 5TB accessed by the hacker, asking for a cut for senior management as well.
6. Hacker demands a full refund. Months later, on September 25, they drop a website titled "starhealthleak", which offered both customer and claim related data through 2 telegram bots.

Das further mentions that CloudSEK, an AI-powered digital risk monitoring platform had called this evidence as fabricated. But upon closer investigation it was found that CloudSEK was working on behalf of their client Star Health, whilst taking down the hacker's website.

While acknowledging the breach, Star Health strongly denied any involvement in this, terming this as a targeted malicious attack. "We want to categorically mention that our CISO has been duly co-operating in the investigation, and we have not arrived at any finding of wrongdoing by him to date. We request that his privacy be respected as we know that the threat actor is trying to create panic.”

Additionally, the insurer has also notified that an extensive forensic investigation is underway, where it is working with independent cybersecurity experts, government and regulatory bodies to address the issue. Earlier, Star Health had filed lawsuits against Telegram, the messaging app, for facilitating the distribution the data, and US software firm Cloudfare, for allegedly hosting the hacker's website.

While Cloudfare has denied the same, the Madras High Court had issued a temporary injunction demanding that Telegram block any chatbots distributing this leaked information. Per xenZen, this is not the first time they have bought and sold data from Indian companies. Previously, it had claimed to have compromised Airtel's servers, and took responsibility of their data breach. However, the data samples were later revealed to be a part of Indian telecom leak, which happened in 2023.