Chennai: A website created by a hacker known as xenZen has breached the data of Star Health Insurance. A staggering data breach has reportedly exposed the personal information of approximately 3.1 crore customers of Star Health Insurance, with sensitive details—including mobile numbers, PANs, addresses, and pre-existing medical conditions. As per the report by PTI, the hacker stated that Star Health’s Chief Information Security Officer (CISO) sold the data before attempting to alter the terms of their agreement. The allegations were highlighted by UK-based researcher Jason Parker, who shared information regarding the breach on September 20. According to Parker, xenZen has published sample data from Star Health Insurance and provided evidence of an email exchange with a top official responsible for managing the company’s digital infrastructure. “I am leaking all Star Health India customers and insurance claims sensitive data. This leak is sponsored by Star Health and Allied Insurance Company, who sold this data to me directly,” xenZen stated.
In response to the allegations, Star Health Insurance released a statement confirming that a thorough forensic investigation is currently underway, led by independent cybersecurity experts. The company is cooperating closely with government and regulatory authorities throughout this process. The statement also revealed that Star Health had approached the Madras High Court regarding the issue. The court has issued an order directing all parties, including certain third parties, to disable access to the leaked information. “We are diligently pursuing the implementation of this order,” the company emphasised. Star Health further asserted that their CISO is cooperating with the investigation and that no findings of wrongdoing have been established against him to date. The company strongly condemned any unauthorized acquisition, possession, or dissemination of customer data as illegal, urging all relevant platforms and users to act swiftly to halt such activities and comply with the court’s orders. The Madras High Court recognized the importance of protecting sensitive data and scheduled further hearings on the matter for October 25.
According to xenZen, Telegram bots have been created to access data for 31,216,953 customers as of July 2024, along with 5,758,425 claims made by the company until early August. The hacker also shared video evidence of an email conversation with a senior official at Star Health, showing that the deal for the data was initially set at $28,000. However, the official later allegedly demanded $150,000, claiming that a portion of the funds would be required to compensate senior management for allowing the leak to continue. The exposure of personal details poses significant risks to affected individuals, making them vulnerable to online scams and fraud. The situation highlights the pressing need for robust cybersecurity measures and the ethical handling of customer data in the insurance sector.