Hacker ‘sells’ 3.12cr Star Health customer data for $150,000, company responds

New Delhi, October 9 (IANS): After reports surfaced that customer data of Star Health, one of the country’s largest health insurers, was available on Telegram, a hacker has now put all 7.24 TB of data for open sale, allegedly belonging to its more than 3.1 million customers. a website for $150,000.

The company said Wednesday that a thorough forensic investigation into the “targeted malicious cyber attack” is underway.

The sale, which also offers “sale of parts for 100,000 tickets each for $10,000,” contains alleged insurance claims data for 57,58,425 Star Health customers (through early August 2024), along with 31,216. 953 customers (as of July), the hacker claimed.

The hacker, who goes by the name “xenZen” and whose whereabouts are unknown, wrote on the website that “I am leaking all Star Health India customers and sensitive data from insurance claims.”

“This leak is sponsored by Star Health and Allied Insurance Company, who sold me this data directly. You can check the authenticity of the data on the Telegram bots below and read how they sold it,” the hacker claimed.

The leaked data allegedly contains full names, PAN numbers, mobile numbers, emails, date of birth, residential addresses, assured date of birth, insured names, sex, pre-existing diseases, policy numbers, health cards, candidate names, age , claims , candidate relationship, assured height, weight, BMI and more.

The hacker is selling the alleged data via two separate chatbots active on the website. The alleged data can be seen after pressing the bots start button.

In a statement to IANS, Star Health Insurance said they were victims of a targeted malicious cyber attack, which led to illegal and unauthorized access to certain data.

“We make it absolutely clear that our operations are not affected and that all services continue without disruption. A thorough and rigorous forensic investigation is underway, led by independent cyber security experts, and we are working closely with the government and regulatory authorities at every stage of this investigation, including duly reporting the incident to insurance and cyber security regulatory authorities, apart from filing a criminal complaint,” the insurer said.

The company further stated that “Our CISO has fully cooperated in the investigation and to date we have made no findings of wrongdoing. We ask that your privacy be respected as we know that the threat actor is trying to create panic.”

“We also want to emphasize that any unauthorized acquisition, possession or dissemination of customer data is illegal,” the company added.

After the data breach was first reported, insurer Star Health had filed a lawsuit against social media platform Telegram and the hacker.