“We acknowledge that we were the victim of a targeted malicious cyberattack, resulting in unauthorized and illegal access to certain data. We make it absolutely clear that our operations remain unaffected, and all services continue without disruption,” Star Health said
The leaked data allegedly contains full names, PAN numbers, mobile numbers, emails, date of birth, residential addresses, insured date of birth, insured names, gender, pre-existing diseases, policy numbers, health cards, nominee names, age, claims, nominee relationship, insured height, weight, BMI and more
New Delhi: After reports surfaced that customers’ data of Star Health, one of the largest health insurers in the country, was available on Telegram, a hacker has now put the entire 7.24 TB data, allegedly belonging to its over 3.1 crore customers for open sale on a website for $150,000.
In a statement Star Health Insurance has confirmed the development.
“We acknowledge that we were the victim of a targeted malicious cyberattack, resulting in unauthorized and illegal access to certain data. We make it absolutely clear that our operations remain unaffected, and all services continue without disruption,” Star Health said.
“A thorough and rigorous forensic investigation, led by independent cybersecurity experts is underway, and we are working closely with government and regulatory authorities at every stage of this investigation, including by duly reporting the incident to the insurance and cybersecurity regulatory authorities apart from filing a criminal complaint. We also timely approached the Madras High Court which in the attached order has directed all including certain third parties to disable access to the relevant information. We are diligently pursuing the implementation of this order,” the health insurer added.
“We also want to categorically mention that our CISO has been duly co-operating in the investigation and we have not arrived at any finding of wrongdoing by him till date. We request that his privacy be respected as we know that the threat actor is trying to create panic. We also want to emphasize that any unauthorised acquisition, possession, or dissemination of customer data is illegal. We urge all platforms, hosting companies, social media channels and users to take swift and decisive action to halt such activities and comply with the orders of the High Court,” the company further said.
“We have robust security measures in place and Star Health assures its customers and partners that their privacy and data security are paramount to us, and we are unwavering in our commitment to ensure their continued trust and confidence. All our rights under the law and contracts, are fully reserved,” the company said.
The sale, which also offers “parts sale for 100,000 entries each for $10,000”, contains alleged insurance claims data of 57,58,425 Star Health customers (till early August 2024), along with 31,216,953 customers (till July), claimed the hacker.
The hacker, who goes by the name xenZen and whose whereabouts are not known, wrote on the website (https://starhealthleak.st/) that “I am leaking all Star Health India customers and insurance claims sensitive data.”
“This leak is sponsored by Star Health and Allied Insurance Company, who sold this data to me directly. You can check the authenticity of the data in the Telegram bots below and read about how they sold it,” the hacker claimed.
The leaked data allegedly contains full names, PAN numbers, mobile numbers, emails, date of birth, residential addresses, insured date of birth, insured names, gender, pre-existing diseases, policy numbers, health cards, nominee names, age, claims, nominee relationship, insured height, weight, BMI and more.
The hacker is selling the alleged data via two separate and active chatbots on the website. One can see the alleged data after pressing the start button on the bots.
In an earlier statement, Star Health and Allied Insurance had said it reported an alleged unauthorised data access to local authorities, an initial assessment showed no widespread compromise, and that “sensitive customer data remains secure”.
After the data leak was first reported, insurer Star Health had filed a lawsuit against the social media platform Telegram and the hacker. Star Health had characterised the cyber incident as “illegal hacking and unauthorised access to sensitive information.”
Star Health was yet to immediately comment on the hacker’s fresh claims via his website.
IANS