Star Health Data Leak: 3.1 Cr Customers Affected

New Delhi, Sep 20 (PTI) Personal data like mobile numbers, addresses and pre-existing medical conditions of more than 3.1 crore customers of Star Health and Allied Insurance Company have been allegedly sold by a senior company official, a UK-based cyber security researcher has claimed.

A query sent to Star Health Insurance over the claims did not elicit any reply till the filing of the news report.

However, the company has sent emails to its customers alerting them about the possibility of fraudulent activity by third parties.

According to the details shared by the UK-based researcher Jason Parker on Friday, a hacker by the name of xenZen has published a website with sample data of Star Health Insurance Company and an email communication with a top official responsible for handling and managing digital network of the company.

"I am leaking all Star Health India customers and insurance claims sensitive data. This leak is sponsored by Star Health and Allied Insurance Company, who sold this data to me directly," xenZen claimed.

The hacker has created Telegram bots to access data of 31,216,953 customers updated till July 2024 and 5,758,425 claims of the company available till early August.

The email conversation video showed the email ID of the senior company official. The conversation video shows email chat as well as a chat on an instant messaging forum between xenZen and the company official for the deal.

The deal was initially finalised for USD 28,000 but later the official demanded USD 150,000 on the pretext that he has to pay a share to senior-level management for continuation of the data leak.

Any leak of personal details of people make them vulnerable to online scams.

Star Health on its part has alerted its customers about the possibility of fraudulent activities by third parties.

"It has come to our attention that certain third parties may be attempting to engage in unauthorised activities by falsely representing themselves as STAR Health officials and encouraging customers to discontinue their existing policy with us. These fraudulent acts not only pose a risk to your personal information but also potentially jeopardize the long-term benefits of your policy," the email to customers read.

The company on August 14 informed BSE that it is in receipt of e-mails from an unidentified person claiming to have unauthorized access to a few claims data.

"Our cybersecurity team is already investigating the matter and simultaneously a police complaint has been filed. The Company has adequate cybersecurity systems and controls, which are in accordance with IRDAI and other regulatory norms. We will issue further updates in accordance with the extant regulations," Star Health had said.

The company had also reported about a cyber fraud related incident in December 2022.

Star Health had on March 23, 2023 informed BSE about the incident and said that during its regular assessment it observed an unauthorised access to the company's mobile application.

In April 2023, a writ petition was filed in the Madras High Court by a cyber security researcher Himanshu Pathak against Star Health demanding action against the company for exposing the sensitive customer data including of the petitioner.

From the documents submitted in the writ petition, Pathak (CyberX9) reported the vulnerabilities exposing the sensitive data of all customers to Star Health in December 2022 and also reported the same to CERT-In.

The matter is still sub-judice in the Pathak's case.