Insider Cyberattack? Star Health Insurance CISO Allegedly Sells Sensitive Data to Chinese Hacker Personal data of 31 million Indians allegedly sold for USD 150,000

Global malicious groups are constantly targeting Indian institutions. In a disturbing development, Star Health Insurance has suffered a massive data breach after the firm's Chief Information Security Officer (CISO) allegedly sold sensitive credentials of 31 million Indians including PAN/Aadhaar numbers, phone numbers, emails, and home addresses. The CISO reportedly sold this data for USD 150,000 (approximately INR 1,26,00,000) to a Chinese hacker identified as "xenZen."

This incident sparked a debate on X (formerly Twitter) when Deedy Das, a venture capitalist at Menlo Ventures and a former Google employee, posted about the data leak. Das shared details of the breach, including the name of the security officer allegedly involved. In his post, a conversation between the officer and the hacker is shown, where the officer demands more money for backdoor access on behalf of senior management.

"Star Health management's CISO, Amarjeet (known as 'mc6'), sold all this data to me and then attempted to change the deal terms, stating that senior management of the company needed more money for backdoor access," Hacker said on his website.

The malicious actor is now selling the entire dataset for USD 150,000 or in smaller batches of 100,000 entries for USD 10,000 each.

Following the incident, Star Health Insurance said in the media, "We acknowledge that we were the victim of a targeted malicious cyberattack, resulting in unauthorized and illegal access to certain data. We want to make it absolutely clear that our operations remain unaffected, and all services continue without disruption."

The company further stated that the officer has not been found guilty of any wrongdoing to date. "We want to categorically state that our CISO has been fully cooperating with the investigation, and there has been no finding of wrongdoing by him to date. We request that his privacy be respected, as the threat actor appears to be attempting to create panic. We also want to emphasize that any unauthorized acquisition, possession, or dissemination of customer data is illegal."

In a different incident last month, Star Health Insurance filed a lawsuit against Telegram and a self-proclaimed hacker after a Reuters report revealed that the hacker was using chatbots on the messaging app to leak personal credentials and medical reports of policyholders. This breach exposed over 7.24 terabytes of sensitive information via Telegram bots.

These bots have made sensitive data of multiple individuals publicly accessible, including names, PAN numbers, mobile numbers, email addresses, dates of birth, residential addresses, pre-existing medical conditions, policy numbers, and nominee details. Additionally, personal information such as the height and weight of insured individuals, over five million insurance claims, Aadhaar card and PAN card photos, detailed medical reports, and insurance claim information are now circulating on Telegram and accessible to the public.

Regarding the recent data leak, Das explained that this data in the public domain poses a significant threat, as hackers could use it for financial fraud, identity theft, targeted scams, account hacking, phishing attempts, account takeovers, and extortion in the future.

Following a forensic investigation into the matter, Star Health Insurance's shares dropped by 2.5 per cent.