Star Health Data Leak: Telegram Accuses Company of Diversionary Tactics

New Delhi, Oct 30 (PTI) Instant messaging app Telegram on Wednesday accused Star Health of resorting to diversionary tactics in a massive data leak case of more than 3.1 crore insurance customers instead of addressing potential vulnerabilities.

The messaging platform has also questioned the lack of transparency shown in the entire episode to find out the vulnerability that led to the data breach.

A UK-based cyber security researcher Jason Parker in September discovered that personal data like mobile numbers, addresses and pre-existing medical conditions of more than 3.1 crore customers of Star Health and Allied Insurance Company have been allegedly sold by a senior company official.

Star Health has sued Telegram and other platforms through which the data was leaked.

"While Telegram has been transparent about its actions - including immediate bot removal, preventive monitoring, and cooperation with legal authorities - Star Health's public communications have focused primarily on the distribution of the leaked data rather than addressing potential vulnerabilities in their own systems," Telegram said in a statement.

The over-the-top communications app said that blaming intermediaries is a misguided response to corporate data breaches.

While no comments were received from Star Health in response to Telegram allegations, the insurance company, in a regulatory filing on October 28, said that it has appointed an independent firm (being experts in cybersecurity matters) to conduct a forensic investigation into the allegations of involvement made by the Threat Actor against the Chief Information Security Officer (CISO) of the company.

"The forensic investigation has been completed and it concluded that (a) the alleged communication between the Threat Actor and the CISO was fabricated by the Threat Actor; and (b) there were no links between the CISO and the Incident, and no evidence of any wrongdoing was found," Star Health said.

Telegram said that while Star Health has been vocal in pointing fingers at the app for the dissemination of leaked customer data, the messaging platform's recent clarifications and proactive measures paint a different picture of the situation, raising questions about where the primary focus of this investigation should lie.

"The more pressing question that remains largely unaddressed is how this sensitive customer data was compromised in the first place. While Star Health has been quick to initiate legal proceedings against Telegram, there has been notably less transparency about the original breach that led to this data exposure," the messaging app said.

Telegram said it is a classic case of missing the forest for the trees.

The messaging app also claimed to have taken swift action to remove the offending bots and implement comprehensive monitoring systems.

Telegram said the incident at Star Health raises important questions about corporate responsibility in data protection.

"Industry Impact The insurance sector collects and handles extremely sensitive personal and financial data, and hence, there is a need for a sector-wide review of data protection practices. With digital transformation accelerating across the industry, the security of customer data is a critical imperative. The focus needs to shift from blame assignment to collaborative solutions that protect customer data," Telegram said.

The insurance company also reported a cyber fraud-related incident in December 2022.

Star Health, on March 23, 2023, informed BSE about the incident and said that during its regular assessment, it observed unauthorised access to the company's mobile application.

In April 2023, a writ petition was filed in the Madras High Court by a cyber security researcher Himanshu Pathak against Star Health, demanding action against the company for exposing sensitive customer data, including the petitioner.

From the documents submitted in the writ petition, Pathak (CyberX9) reported the vulnerabilities exposing the sensitive data of all customers to Star Health in December 2022 and reported the same to CERT-In.

The matter is still sub-judice in Pathak's case.