Updated at 9.50pm on 9 October 2024 to include a response from Star Health and Allied Insurance
In a shocking incident, a hacker claims to be leaking data of customers of Star Health and Allied Insurance Co Ltd and their insurance claims. The hacker, xenZen, alleges, "This leak is sponsored by Star Health and Allied Insurance Company, who sold this data to me directly." Star Health and Allied Insurance says it was a victim of a targeted malicious cyberattack, resulting in unauthorised and illegal access to certain data. It also says its chief information security officer (CISO) has been duly co-operating in the investigation and it has not arrived at any finding of wrongdoing by him till date.
xenZen posted details of the data leak on a website, starhealthleak.st, claiming that the total data size is 7.24TB and contains data of 31.21mn (million) customers and 5.75mn insurance claims. According to the information posted by the hacker, the customer data includes full name, PAN number, mobile number, email ID, date of birth, residential address and other details submitted while obtaining an insurance policy from Star Health Insurance.
The hacker also alleges that "Star Health management CISO (chief information security officer) Amarjeet Khanuja (as mc6) sold all this data to me and then attempted to change deal terms saying senior management of the company needs more money for backdoor access."
Last week, security analyst Jason Parker (@jasonxparker)
first posted the message on X about the data leak. He said, "Threat actor launched his own self-hosted data leak bots for customers and claims data leak. Pretty much becoming bulletproof by now not relying on third-party platforms."
Responding to the post, another user, Leading Nowhere (@leading_nowhere), posted on X that "Star Health employee offers direct illegal API access to full customer medical records for US$43,000; then stiffs buyer, asking $150k because 'senior management' wants a cut, the buyer then promptly blows the whistle in retaliation. How incompetent could you be at white-collar crime?"
xenZen also shared a video on the website that contains communication with Mr Khanuja from
[email protected] dated 25 July 2024. In one of these emails, Mr Khanuja wrote to say, "You have already taken 5TB data from this second access for claims data. We stopped it now since if you want to continue using this one, then you need to pay 150k USD more because I also need to share a major portion of it with senior management for it to continue."
In response, xenZen says, "are you kidding me lol? you want to scam me in this? you already took 15k for this claims data and earlier 28k for all customer data which was already high. dont try to play these games, it will be very bad for you."
xenZen also claims he has data of government of India officials, who are customers of Star Health and part of the data leak. "Below is small sample of some fields of data of Indian gov officials who are customers of Star Health and leaked in the Star Health Customers Data. In bot I've full detailed data of all officials including policy document and all sensitive fields."
On the portal, xenZen has created two bots. On query, one bot shows random customer data, including policy and personal details. The second bot shows data of insurance claims, including insurance claim details, claim amount, detailed medical and health reports and contact information of the claimant.
xenZen wants US$150,000 for the entire data and sayshe is ready to sell it in parts with US$10,000 for 100,000 entries.
We sent an email to Star Health and Allied Insurance about the data leak and allegations of involvement of its employee in sharing the data with the hacker.
UPDATE:
Statement from Star Health Insurance: "We acknowledge that we were the victim of a targeted malicious cyberattack, resulting in unauthorised and illegal access to certain data. We make it absolutely clear that our operations remain unaffected, and all services continue without disruption.
A thorough and rigorous forensic investigation, led by independent cybersecurity experts, is underway, and we are working closely with government and regulatory authorities at every stage of this investigation, including by duly reporting the incident to the insurance and cybersecurity regulatory authorities apart from filing a criminal complaint. We also timely approached the Madras High Court, which has directed all, including certain third parties, to disable access to the relevant information. We are diligently pursuing the implementation of this order.
We also want to categorically mention that our CISO has been duly co-operating in the investigation and we have not arrived at any finding of wrongdoing by him till date. We request that his privacy be respected as we know that the threat actor is trying to create panic. We also want to emphasize that any unauthorised acquisition, possession, or dissemination of customer data is illegal. We urge all platforms, hosting companies, social media channels and users to take swift and decisive action to halt such activities and comply with the orders of the High Court.
We have robust security measures in place and Star Health assures its customers and partners that their privacy and data security are paramount to us, and we are unwavering in our commitment to ensure their continued trust and confidence.
All our rights under the law and contracts are fully reserved."