Online fraud: IRDAI proposes strict guidelines to prevent leaks similar to Star Health case

To combat online fraud occurrences, the Insurance Regulatory and Development Authority of India (IRDAI) has put forward more stringent regulations. This initiative follows a series of notable fraud incidents at insurers such as Star Health Insurance Company. 

Under the Insurance Fraud Monitoring Framework Guidelines of 2024, insurers are obligated to implement rigorous measures such as board-endorsed anti-fraud policies, autonomous Fraud Monitoring Units (FMUs), bolstered cybersecurity defenses, and routine fraud education initiatives.

"Cyber fraud can have far-reaching consequences, including identity impersonation, financial frauds, reputational damage, etc," IRDAI said in the draft guidelines. 

"Personal information such as KYC details, financial details, and medical records are highly coveted by cybercriminals, who exploit vulnerabilities in security defences to gain unauthorised access to these sensitive data available with insurers or distribution channels," it added. 

Star Health data leak

The actions taken by IRDAI were in response to a security breach involving the chief information security officer of Star Health Insurance. An individual known as "xenZen" alleged that the executive had sold company data and attempted to extort more money in return for ongoing access. The hacker has now put the data up for sale at $150,000 or smaller increments of $10,000, potentially putting policyholder data at risk of widespread dissemination.

In September, Star Health initiated legal action against Telegram and an individual responsible for a security breach, as disclosed in a Reuters report. The investigation unveiled the unauthorized disclosure of personal data and medical records of approximately 30 million Star Health policyholders through chatbots on the Telegram platform.

In response to a recent hacking of Star Health Insurance's customer database, the Madras high court issued a directive on Friday for the social media application Telegram to remove and block all identified posts or 'chatbots'. Additionally, the high court encouraged Star Health to provide Telegram with the necessary information for the successful deletion of the leaked data.

During the court proceedings at the Madras High Court, Star Health filed a petition against Telegram and other platforms following a hack on its database. It was revealed that hackers were utilizing messaging platforms to disclose sensitive information. 
The legal representative for Star Health Insurance requested the court to issue a restraining order against Telegram for publishing confidential data. 

However, Telegram explained that it lacked the capability to proactively search for leaks on its platform. The messaging platform agreed to remove the leaked information upon receiving specific details from the insurer.

To this, Telegram's counsel replied, “I (Telegram) don't have the power to patrol or police all bots and take them down. I can only block or, take down a channel if a particular violation is flagged. If I keep looking through all posts to search for Star health and take it off, I will be in violation of the IT Act.”