Sensitive customer data, including medical reports and personal details, from India’s largest health insurer, Star Health and Allied Insurance, has been found publicly accessible across various websites and chatbots on Telegram. This Star Health data breach follows closely on accusations against Telegram’s founder, Pavel Durov, for allegedly enabling the platform to facilitate illegal activities.
According to a security researcher who alerted The Cyber Express (TCE), millions of customers’ private data are being sold online, with samples readily available via Telegram chatbots upon request. This Star Health and Allied Insurance data breach has raised concerns about the security measures at Star Health, which holds a market capitalization exceeding $4 billion.
Stolen Data Circulating on Telegram and BreachForums
The Star Health data leak includes highly sensitive information such as policy documents, claims forms, personal identification numbers, tax details, medical reports, and more. The threat actor, operating under the pseudonym “xenZen,” has been distributing free samples through chatbots on Telegram, while selling the bulk of the data on the notorious BreachForums cybercrime platform.
Security experts suggest that this Star Health data leak has been occurring since at least August 6, 2024, predating Star Health’s official data breach announcement, which downplayed the incident as involving only “a few claims data.”
The company has since expressed that it is working closely with law enforcement agencies to address the issue, reassuring customers that their privacy remains a top priority.
The Role of Telegram in Star Health Data Breach
Telegram, with its 900 million active monthly users, has become one of the largest messaging platforms in the world. One of its popular features, the ability for users to create and deploy chatbots, has significantly contributed to its growth. However, this same feature is now being exploited by cybercriminals, as demonstrated by the Star Health data leak.
While Telegram did take down several chatbots after being alerted to the breach, new ones quickly emerged, offering the stolen data for sale again. Additionally, two websites (starhealthleak[.]com and starhealthleak[.]st) have surfaced, offering the same stolen data for purchase.
Pavel Durov, the Russian-born founder of Telegram, is currently facing charges in France for allegedly allowing his platform to be used for illegal activities. Both Durov and Telegram have denied any wrongdoing and claim they are working to address the misuse of the platform.
Nevertheless, the Star Health data breach incident underlines the challenges in controlling illegal activity on platforms like Telegram and highlights the growing need for more strong content moderation systems.
The Threat Actor: “xenZen”
The individual behind this breach, “xenZen,” has only recently emerged as a player in the cybercrime world, having begun targeting Indian organizations in June 2024. Active on BreachForums, one of the largest and most infamous cybercrime platforms, xenZen has already gained a reputation for selling stolen data from multiple high-profile victims, including Star Health.
The data posted by xenZen on BreachForums includes a wealth of information, from policyholder details to sensitive medical records. According to the researcher who spoke to The Cyber Express, the stolen data is being sold to a single buyer on the platform, a common tactic used by cybercriminals to profit from large-scale data breaches.
Star Health’s Response
In an official statement, Star Health confirmed they had received emails from an unidentified individual claiming unauthorized access to customer data. The company reassured the public that its cybersecurity team is investigating the breach and that a police complaint has been filed. Star Health also emphasized that its cybersecurity measures are aligned with the standards set by the Insurance Regulatory and Development Authority of India (IRDAI).
Despite the company’s efforts, the Star Health data breach has raised serious concerns about the effectiveness of its cybersecurity protocols, especially given the scale of the attack and the sensitivity of the stolen data.
Lessons and Recommendations
The Star Health data breach offers a reminder of the need for stronger cybersecurity practices and proactive incident response strategies. To help prevent future incidents, experts recommend the following measures:
- Securing Cloud-Based Data Storage: Organizations must ensure that cloud storage instances, including those managed by third parties, are properly secured. This includes disabling public access to storage buckets, using encryption, and implementing strict access controls.
- Securing Web Applications and APIs: Web applications and APIs must be secured with HTTPS, secure headers, and robust authentication mechanisms. Additionally, organizations should enforce input validation to prevent injection attacks and conduct regular vulnerability assessments.
- Vulnerability Disclosure Programs: Implementing responsible vulnerability disclosure programs encourages collaboration between security researchers and organizations. Clear rules of engagement and rewards for identifying vulnerabilities can help prevent breaches before they occur.
The breach at Star Health also highlights the need for rapid takedown capabilities, especially when stolen data is being actively sold on platforms like Telegram. Organizations must partner with cybersecurity firms that offer these services to minimize the exposure of sensitive data.
