Star Health Insurance CISO accused of selling customer data
In a new development in the Star Health Insurance data breach, a hacker website has surfaced, alleging that the company’s Chief Information Security Officer, Amarjeet Khanuja, sold sensitive data to hackers and subsequently attempted to renegotiate the deal, demanding extra funds for backdoor access on behalf of senior management. The site, created by a hacker known as xenZen, claims Khanuja's actions were crucial to the breach and that they possess a screencap video showing chats and emails with the Star Health official.
“Star Health management CISO (Chief information security officer) Amarjeet (as mc6) sold all this data to me and then attempted to change deal terms saying senior management of the company needs more money for backdoor access,” the website revealed.
The hacker is now offering the complete dataset for sale at $150,000 (approximately ₹1.26 crore) and partial datasets of 100,000 entries for $10,000, with options for custom packages. To establish credibility, the hacker has provided over 500 "random data samples" on the website.
On September 20, Fortune India reported a potential data breach impacting 31 million Star Health Insurance customers. Sensitive information such as medical records, Aadhaar card details, and addresses was accessible via Telegram chatbots. The hacker claims to possess 7.24 terabytes of data, including full names, PAN and mobile numbers, email addresses, dates of birth, residential addresses, and medical conditions, posing significant risks for identity theft and financial fraud.
In light of this development, Star Health shares have been on a downward trend for the past 9 trading sessions, falling as much as 11% since September 30. The shares are currently trading at ₹549.05, down 3% from yesterday’s close of ₹566.25.
Star Health Insurance has acknowledged being the victim of a targeted cyberattack, leading to unauthorised access to certain data. However, the company claims that its operations remain unaffected, and all services continue without disruption. Additionally, Star Health has reportedly stated that its CISO has been cooperating fully in the investigation, and no findings of wrongdoing have been identified against him to date.
While the company denies any involvement by its CISO, questions remain about the possibility of the CISO's account being compromised. It is still unclear how the hackers accessed sensitive information, adding to the uncertainty surrounding the situation. Additionally, the CISO's LinkedIn page, which was previously accessible, is now unavailable.
The company has reported that a thorough forensic investigation, led by independent cybersecurity experts, is underway. Star Health has also reportedly approached the Madras High Court, which directed all parties, including certain third parties, to disable access to the relevant information. Additionally, the legal complaint filed by the insurer accuses US-based software company Cloudflare of hosting the hackers' websites that offer the stolen dataset for sale.
In a tweet on October 10, Deedy Das, a venture capitalist at California-based Menlo Ventures, revealed that the alleged data sale to the Chinese hacker amounted to $43,000. Das gave a breakdown of how the suspected data breach may have happened. He claimed that on September 25, the starhealthleak website was launched, featuring two Telegram bots for customer and claims data. “People in power in India (and perhaps elsewhere) will sell your data in a heartbeat. Why? No one seems to care,” Das added.