Personal data of over 31 million customers of Star Health and Allied Insurance Company has allegedly been sold by a senior official, according to a UK-based cybersecurity researcher. The information includes mobile numbers, addresses, and medical conditions. Star Health has not responded to queries regarding these claims but has warned customers about potential fraudulent activities.

The UK researcher, Jason Parker, revealed on Friday that a hacker named xenZen published a website displaying sample data from Star Health. This includes an email exchange with a top official managing the company's digital network. "I am leaking all Star Health India customers and insurance claims sensitive data. This leak is sponsored by Star Health and Allied Insurance Company, who sold this data to me directly," xenZen claimed.

Data Breach Details

The hacker has set up Telegram bots to access data of 31,216,953 customers updated until July 2024 and 5,758,425 claims available until early August. A video shows an email conversation between xenZen and the company official, initially agreeing on USD 28,000 for the data. However, the official later demanded USD 150,000, citing the need to share proceeds with senior management.

Star Health has alerted its customers about possible fraudulent activities by third parties posing as company officials. "It has come to our attention that certain third parties may be attempting to engage in unauthorised activities by falsely representing themselves as STAR Health officials and encouraging customers to discontinue their existing policy with us," read an email sent to customers.

Company's Response

On August 14, Star Health informed BSE about receiving emails from an unidentified person claiming unauthorized access to some claims data. "Our cybersecurity team is already investigating the matter and simultaneously a police complaint has been filed," the company stated. They assured that their cybersecurity systems comply with IRDAI and other regulatory norms.

In December 2022, Star Health reported a cyber fraud incident. On March 23, 2023, they informed BSE about unauthorized access to their mobile application during a regular assessment. In April 2023, cybersecurity researcher Himanshu Pathak filed a writ petition in Madras High Court against Star Health for exposing sensitive customer data.

Legal Proceedings

The writ petition submitted by Pathak included documents from CyberX9 reporting vulnerabilities exposing customer data to Star Health in December 2022. These vulnerabilities were also reported to CERT-In. The case remains sub-judice as legal proceedings continue.

Star Health continues to face scrutiny over its handling of customer data security. The company is working with authorities to address these breaches while maintaining compliance with regulatory standards.