Star Health received $68,000 ransom after data leak

India’s largest health insurer Star Health received a ransom demand of $68,000 from a hacker who claimed access to the customers’ confidential data.

“The incident involved a series of emails received by Star Health senior executives, in which the Threat Actor claimed unauthorised and illegal access to the customer confidential data and demanded a ransom amount of USD 68,000. Based on ongoing investigations, the Threat Actor appears to have used bots to purportedly share customer sensitive information through Telegram (the social media and messaging platform) and certain websites,” the health insurer says.

The insurer also backed Amarjeet Khanuja, its Chief Information Security Officer, who the hacker alleged was involved in data leak. “We wish to highlight that our investigations are ongoing, and we have engaged competent independent third parties to undertake the exercise. We have not arrived at any finding of wrongdoing by our Chief Information Security Officer (CISO) till date,” it says.

The company says it reported the incident to all relevant regulatory agencies including the Computer Emergency Response Team (CERT-In) and the IRDAI on August 14, 2024. “Separately, we have filed a Complaint before the Commissioner of Police, Chennai on 14 August 2024 based on which a First Information Report (FIR) was registered by the Tamil Nadu Police Cyber Crime Cell on 23 September 2024 reporting the incident, as well as a civil suit on 22 September 2024 before the Hon’ble Madras High Court, which in its order dated 24 September 2024 has, inter alia, directed all third parties, including persons unknown, to disable access to the relevant information,” it says.

Immediately after the receipt of emails from the Threat Actor, the circumstances were reported to the Board of Directors which included the members of the Risk Management Committee (RMC), on August 14, 2024, the company says. “We subsequently initiated necessary and protective steps such as engaging an independent expert to carry out the investigation into the suspected incident, and filing a Police Complaint and intimations to relevant authorities as mentioned above, including the stock exchanges,” it says.

On August 13, 2024, the Threat Actor demanded a ransom of $68,000 in an email addressed to MD & CEO. Star Health didn’t respond to the emails.

The hacker sent another email on August 22, 2024 and set up a new site. This website was taken down by Star Health. Subsequently, the attacker created yet other websites with the same name, starhealthleak, starhealth.lol posting 500 samples of customer data in the website.

On September 11, 2024, Star Health issued the first notice to Telegram to take down the bots. "TA created new bots every time Telegram took down the reported bots. Telegram refused to share the account KYC details or permanently ban the TA’s accounts despite multiple notices issued in this regard," the insurer says.