A shocking data breach has rocked Star Health, one of India's largest health insurers, with a hacker putting up 7.24 TB of sensitive customer data for sale on a website for $150,000. The leaked data allegedly belongs to over 3.1 crore customers and contains personal details such as full names, PAN numbers, mobile numbers, emails, date of birth, residential addresses, and more. The hacker, known as "xenZen," claims that a senior Star Health excecutive sold the data directly to him. The sale also includes “parts sale for 100,000 entries each for $10,000,” according to reports. However, the company denies this allegation, stating that they were the victim of a targeted malicious cyberattack.


COMMERCIAL BREAK
SCROLL TO CONTINUE READING

Star Health has confirmed that a thorough forensic investigation is underway following this "targeted malicious cyberattack." The leaked data allegedly comprises insurance claims information from 57,58,425 customers, as well as personal details of 31,216,953 customers up to July 2024.


In a post on the selling website, xenZen stated, "I am leaking all Star Health India customers and insurance claims sensitive data." The hacker claimed that the data was obtained from Star Health itself, suggesting the company sold it directly. To back this claim, he pointed to Telegram bots where potential buyers could verify the data's authenticity.


The hacker's leak reportedly includes full names, PAN numbers, mobile numbers, email addresses, dates of birth, residential addresses, insured names, policy numbers, and even health metrics such as height and weight.


Star Health Insurance issued a statement to IANS, emphasizing that they are the victims of this cyberattack and that unauthorized access to data has occurred. They reassured customers that their operations remain unaffected and that all services continue without disruption.


"Our CISO is cooperating fully in the investigation, and we have found no evidence of wrongdoing on his part," the statement added. Star Health is also working closely with government and regulatory authorities and has filed a criminal complaint against the hacker and Telegram.


The insurer reiterated that any unauthorized acquisition or dissemination of customer data is illegal and called for respect for the privacy of individuals involved in the ongoing investigation.