More than 7.24 terabytes of sensitive customer data, including around 31 million Star Health and Allied Insurance policies, has been discovered publicly accessible through chatbots on the messaging platform Telegram. This discovery comes just a week after Telegram was accused of facilitating criminal activities on its platform, raising serious concerns about the app’s ability to prevent misuse.
Millions of users’ private details, including medical records, tax documents, and personal identification information, have been compromised. Jason Parker, a UK-based security researcher, first brought the issue to light.
Jason posed as a buyer on an online hacker forum. He discovered that the chatbot’s creator, known by the alias ‘xenZen,’ claimed to possess 7.24 terabytes of data, impacting over 31 million Star Health customers. The hacker also created a website ‘starhealth.com‘ showing samples of stolen data.
“This leak is sponsored by Star Health and Allied Insurance Company, who sold this data to me directly,” claims xenZen. “Star Health management CISO (Chief Information Security Officer) Amarjeet (as mc6) sold all this data to me and then attempted to change deal terms saying senior management of the company needs more money for backdoor access.”
The data includes medical diagnoses, ID cards, policy numbers, and medical test results. To cement the authenticity of the leak, xenZen also displayed leaked government officials’ data on the website.
The compromised data was accessible through two chatbots, which have been operational since early August. These bots allow users to retrieve insurance claims and personal records with alarming ease.
This breach underscores the darker side of Telegram’s bot functionality, which has helped the app gain popularity by automating content delivery to its 900 million monthly users.
While Telegram’s wide-ranging capabilities are part of its appeal, they have also become tools for malicious actors. Earlier, the company, in its initial assessment, reported that there is “no widespread compromise.” Star Health also reassured its customers that their privacy is a priority, yet evidence shows otherwise.
However, Reuters was able to download over 1,500 documents, with some records dated as recently as July 2024. In response to these allegations, the company came out with a new statement:
“On August 13, we received communication from an unidentified source alleging unauthorised access to some of our information. The matter was promptly reported to the Tamil Nadu Cybercrime Department, CERT-In, IRDAI, and SEBI as part of our commitment to regulatory transparency and swift action,” said the company.
Many customers have expressed concern about how this breach may affect them, particularly given that no official notification of the leak has been issued to those impacted.
Telegram’s founder, Pavel Durov, has already faced scrutiny over the platform’s alleged role in facilitating criminal activity. Durov, who was arrested in France, has denied the accusations, maintaining that Telegram is working to address illegal content.
Telegram’s spokesperson, Remi Vaughn, confirmed that the chatbots sharing Star Health’s data were taken down after being flagged as suspicious. Yet, within hours, bota emerged, continuing to distribute the sensitive information.
Vaughn defended Telegram’s moderation efforts, explaining that the platform uses a mix of proactive monitoring, AI tools, and user reports to tackle harmful content. Despite these measures, Telegram’s anonymity features and the ease of creating bots have made it a fertile ground for cybercriminals.
The Star Health breach is part of a larger trend of hackers exploiting Telegram’s functionalities to sell stolen data. Despite assurances from the insurer, the company’s reputation and the trust of millions of customers are on the line.
For now, the full extent of the damage remains unclear as both authorities and the company continue their investigation. But with new chatbots continually surfacing, the situation raises critical questions about the efficacy of data protection measures in India’s growing digital economy.
In the News: LinkedIn suspends AI data processing in UK amid privacy concerns
