Reports have surfaced of a massive data breach potentially affecting millions of Star Health Insurance customers. Sensitive data, including medical records, was allegedly accessible through Telegram chatbots. The breach adds to growing concerns over the platform, which has faced criticism for allegedly enabling criminal activity.
The exact number of individuals impacted by the reported data breach at Star Health Insurance has not been established. However, news agencies claim the number could be in millions, with samples available upon request. On a hacker forum, a user known as xenZen claimed responsibility for creating the chatbots, asserting they hold 7.24 terabytes of data from more than 31 million Star Health customers.
These records, dating as recently as July 2024, include policy documents, claims, names, phone numbers, addresses, tax details, ID copies, test results, and medical diagnoses. While the data is accessible through the chatbot on a random, piecemeal basis, it is available for bulk purchase.
The chatbots have reportedly been operational since August 6. New chatbots have since appeared offering Star Health data.
Star Health and Allied Insurance, with a market capitalisation exceeding Rs. 35,888 crore, stated it has reported the alleged unauthorised data access to local authorities.
In an August 14 stock exchange filing, Star Health disclosed it had received emails from unidentified individuals regarding a possible breach, noting that they were investigating claims of unauthorised access to "a few claims data."
In its statement, Star Health emphasised that "the unauthorised acquisition and dissemination of customer data is illegal," and that it is working closely with law enforcement to address the issue. The company reassured customers that their privacy is a top priority.
The company reiterated that its cybersecurity measures are in line with regulatory norms set by IRDAI and other authorities.
Telegram’s chatbot feature, which has facilitated the platform to become a widely used messaging platform, is facing scrutiny after its Russian-born founder Pavel Durov was arrested in August in France over allegations of inadequate action against criminal activity.
The platform has allegedly become a hub for illicit operations, including data breaches, stock price manipulation, and the spread of child sexual abuse material. The recent alleged breach underscores the challenges Indian companies face in safeguarding their data. According to a 2022 survey by NordVPN, around five million people globally have fallen victim, with India being the hardest hit, accounting for 600,000 victims.