Star Health Data Leak: 3 Cr Customers Affected, CISO Allegedly Involved

New Delhi, Oct 9 (PTI) Personal data like mobile numbers, PAN, addresses and pre-existing medical conditions of about 3.1 crore customers of Star Health Insurance is allegedly available on a website created by a hacker identified as xenZen.

The hacker claimed that Star Health's Chief Information Security Officer (CISO) sold all the data and later tried to change the terms of their deal.

According to the details shared by the UK-based researcher Jason Parker on September 20, a hacker by the name of xenZen has published a website with sample data of Star Health Insurance Company and an email communication with a top official responsible for handling and managing the digital network of the company.

"I am leaking all Star Health India customers and insurance claims sensitive data. This leak is sponsored by Star Health and Allied Insurance Company, who sold this data to me directly," xenZen claimed.

Clarifying on the matter Star Health Insurance in a statement said, a thorough and rigorous forensic investigation, led by independent cybersecurity experts is underway, and the company is working closely with government and regulatory authorities at every stage of this investigation.

"We also timely approached the Madras High Court which in the attached order has directed all including certain third parties to disable access to the relevant information. We are diligently pursuing the implementation of this order," it said.

The company categorically mentioned that the CISO has been duly co-operating in the investigation and has not arrived at any finding of wrongdoing by him till date.

"We also want to emphasize that any unauthorised acquisition, possession, or dissemination of customer data is illegal. We urge all platforms, hosting companies, social media channels and users to take swift and decisive action to halt such activities and comply with the orders of the High Court," it said.

Meanwhile, Madras High Court has observed that protection is vital to prevent the continuous leakage of such sensitive data and referred the matter for further hearing on October 25.

The hacker has created Telegram bots to access data of 31,216,953 customers updated till July 2024 and 5,758,425 claims of the company available till early August.

The email conversation video showed the email ID of the senior company official. The conversation video shows email chat as well as a chat on an instant messaging forum between xenZen and the company official for the deal.

The deal was initially finalised for USD 28,000 but later the official demanded USD 150,000 on the pretext that he has to pay a share to senior-level management for continuation of the data leak, the hecker alleged.

Any leak of personal details of people makes them vulnerable to online scams.