Star Health has come under intense scrutiny following a cybersecurity breach that exposed the personal data of over 3 crore customers.
In a detailed clarification issued on October 12, the company revealed that the hacker, operating under the pseudonym “vladislav rs,” demanded a ransom of $68,000 (approximately INR 57 lakh) from the insurer in exchange for not releasing the data.
Timeline of Events
The timeline of the breach outlines a series of alarming events:
- August 13: The hacker first contacted Star Health, demanding the ransom in a series of emails directed at the company’s Managing Director and CEO, Anand Roy.
- August 14: Star Health promptly reported the cybersecurity incident to the Computer Emergency Response Team (CERT-In) and the Insurance Regulatory and Development Authority of India (IRDAI).
- August 22: Following the initial demand, the hacker created a website called “starhealthscam.in” to sell the stolen data.
- August 29: The company collaborated with law enforcement agencies to take down the hacker’s websites.
- September 11: Star Health issued its first notice to the messaging platform Telegram, requesting the removal of bots that were disseminating the leaked data. However, the company claimed that Telegram did not comply, refusing to provide KYC details or permanently ban the hacker’s accounts despite multiple requests.
- September 22: In a bid to strengthen its legal position, Star Health filed a petition in the Madras High Court against Cloudflare (which provided hosting services to the hacker), Telegram, and unidentified individuals associated with the hacker, specifically naming a person named Ashok Kumar. The petition seeks a permanent injunction against the use of Star Health’s brand and domain names, as well as a ban on the publication of the leaked data.
- September 23: The Tamil Nadu Cyber Crime Cell officially registered an FIR, initiating an investigation into the breach under various sections of the Bharatiya Nyaya Sanhita and the Information Technology Act, 2000.
- September 24: The Madras High Court granted ad-interim injunctions prohibiting anyone from exploiting the Star Health brand and domain names and banning the dissemination of the leaked data.
Scope of the Data Breach
The compromised data includes sensitive personal information such as customer names, addresses, phone numbers, PAN details, policy nominees, and medical histories.
The magnitude of the breach has raised serious concerns among customers and industry experts alike, particularly regarding the adequacy of cybersecurity measures in place at Indian companies.
Following the initial demand for a ransom, the hacker shifted tactics, attempting to sell the entire dataset for $150,000 (approximately INR 1.26 crore) on the aforementioned website.
Additionally, a smaller package of 100,000 entries was reportedly listed for $10,000 (about INR 8.4 lakh).
Despite Star Health’s efforts to shut down the websites, the hacker created new ones, including “starhealthleak.in” and “starhealth.lol,” where samples of the customer data were posted. These sites were also eventually taken down by the company.
Moreover, the hacker has made the information accessible by launching chatbots on Telegram, showcasing the lengths to which they have gone to exploit the stolen data.
Response and Future Measures
In light of the breach, Star Health has taken several proactive steps to address the situation.
The company has engaged independent cybersecurity experts to conduct a comprehensive forensic investigation, with findings expected by the end of October.
This investigation is critical not only for understanding the breach but also for developing strategies to prevent future incidents.
Star Health claims it has implemented additional security measures to shore up its IT infrastructure in the aftermath of the breach.
The company is committed to transparency and has stated that it will continue to keep stakeholders informed as the investigation unfolds and as they work to enhance their cybersecurity protocols.
Industry Implications
This incident has ignited discussions about the state of cybersecurity across the Indian corporate landscape.
Many industry experts are questioning the adequacy of current cybersecurity practices and the need for stricter regulations to protect consumer data.
The breach serves as a stark reminder of the vulnerabilities that can exist even in well-established companies and underscores the urgent need for continuous improvement in cybersecurity measures.
As the investigation by Star Health and local authorities continues, customers and stakeholders remain on high alert, awaiting further developments in what has become one of the most significant data breaches in the insurance sector.
The long-term implications of this breach will likely influence not only Star Health but also the broader landscape of data security in India, prompting other companies to reevaluate their cybersecurity strategies to protect against similar threats in the future.
