CHENNAI: The chief information security officer (CISO) of Star Health Insurance was behind the company’s recent massive customer data breach, claimed a hacker who has put the data on sale on his website. The hacker, identifying as xenZen, said that CISO provided the API access to the entire customer data, and posted a video showing the reception of the customer data via email from CISO.
UK-based cyber security researcher Jason Parker uncovered the data breach when xenZen posted a sale listing on breach forums. Parker told TOI through mail that the hacker, when pressed for the source of the leak, showed him chats and email communication and screen recording with CISO.
“I have gone through the video. Being a security researcher, I know it does not appear to be fake or altered at all. The emails are loading live as he is browsing them, which negates any possibility of it being spoofed or edited. I think it needs to be investigated by an independent govt agency,” Parker said.
The hacker claims to possess 7.24 TB data of the policy holders and claims, including names, phone number, addresses, medical records, PAN, policy details, detailed medical records, claim amounts. The hacker has displayed the data of a few customers as samples and has set up a chatbot to sell data, the whole for $150,000.
TOI verified the identities and details of a few victims, including govt officials. People TOI spoke to confirmed their residential addresses and the policy details. Venkat Ragavan, one of the victims and part of the IT team at an organisation, expressed shock.
“We do not share our personal details even with friends but do so with these companies on trust. My identity could be misused for loan fraud and other criminal activity. The company should make proactive efforts to block these websites and take down data from the public domain with emergency response teams (ERT) as individuals cannot do,” he said.
Star Health in a statement said certain data has been accessed and is conducting a thorough and rigorous forensic investigation, led by independent cybersecurity experts. The company said it has reported the incident to the insurance and cybersecurity regulatory authorities.
Star Health also defended its CISO. It said, “CISO has been cooperating in the investigation and we have not arrived at any finding of wrongdoing by him till date.”
The company has sought an injunction against messaging platform Telegram and IT management service company Cloudfare in Madras high court to prevent publishing and providing access to its customer information.