Personal and insurance details of millions of Star Health Insurance customers have reportedly been exposed and are now allegedly for sale. A hacker, identified as “xenZen,” claims to have obtained 7.24 TB of sensitive data belonging to over 31 million customers and has put it up for sale on a website for $150,000. Partial data sets of 100,000 entries each are also offered at $10,000. This breach, impacting one of India’s largest health insurers, has raised serious concerns about data security.
According to the hacker’s post, the stolen data includes personal details such as names, PAN numbers, mobile numbers, email addresses, birth dates, residential addresses, policy numbers, pre-existing conditions, health card details, and other sensitive health information. The hacker even went so far as to claim that Star Health “sponsored” the leak by allegedly selling the data directly to them, although the company firmly denies any such claims.
Star Health acknowledged the cyberattack in a statement, describing it as a “targeted malicious attack” and confirming that an extensive forensic investigation is underway. The insurer has engaged independent cybersecurity experts to assist with the probe and is closely collaborating with government and regulatory bodies, including insurance and cybersecurity authorities. Additionally, the company has filed a criminal complaint and a lawsuit against both the hacker and the messaging platform Telegram, where portions of the leaked data were reportedly shared initially.
“We wish to clarify that our operations are fully functional, and services to customers remain unaffected. A thorough investigation is being led by our cybersecurity team, and we continue to work in conjunction with authorities to ensure that customer data remains protected,” said Star Health in its statement. The company emphasised that any unauthorised handling or distribution of customer data is illegal, urging respect for privacy as the investigation unfolds.
In an effort to verify the leak, the hacker has activated two chatbots on the website, allowing users to view segments of the data by interacting with the bots. The company, however, has warned the public that engaging with this leaked information is illegal and could carry serious consequences.
Mohan Madwachar, Country Manager, Sattrix Information Security Limited commented, "While investigations into this data breach continue, it’s crucial to recognise that relying solely on the latest technologies is insufficient to safeguard organizations from cyberattacks. A comprehensive cybersecurity strategy must align people, processes, and technology with both business and security objectives."
"Today’s sophisticated threats demand equally sophisticated defenses. This includes robust web and mobile application security, proactive breach and attack simulation, secure coding practices, widespread security awareness, and genuine commitment to compliance," he added.