In a shocking data breach, confidential client information, including medical records from Star Health and Allied Insurance was exposed and made public through Telegram chatbots. This incident comes just weeks after Telegram's creator, Pavel Durov, was accused of facilitating criminal activity through the popular chat service.
How It Unfolded?
A UK-based security researcher by the name of Jason Parker discovered the breach and alerted news agency Reuters. According to Parker, millions of Star Health customers' sensitive information was being offered for sale, with samples easily available on these chatbots.
Parker said, the chatbots, created by an individual going by the alias xenZen, have been operational since August 6, 2013.
On an online hacker forum, xenZen claimed to be in possession of 7.24 terabytes of data belonging to over 31 million Star Health customers. While small portions of the data are available for free on a random, piece-by-piece basis, xenZen is allegedly selling the data in bulk.
Apparently, two different chatbots were used to distribute the data. One offered claim documents in PDF format while the other allowed users to request up to 20 samples from a dataset of 31.2 million records providing details, such as policy numbers, names and body mass index (BMI).
Though Telegram disabled the chatbots soon after it was alerted, fresh bots providing Star Health data have since emerged.
Star Health Admits Hack, Says Data Safe
Star Health, one of India's largest health insurers, acknowledged the unlawful access in a statement to Reuters.
It, however, said that according to their preliminary investigation, there was “no widespread compromise” and that “sensitive customer data” was secure. It said that it has nevertheless alerted authorities, including Tamil Nadu's cybercrime department and India's cybersecurity agency, CERT-In about the incident.
Star Health added that unauthorised acquisition and sale of customer data is illegal, and they are cooperating with law enforcement agencies to address the issue.
Star Health further said that an unnamed person contacted them on August 13, 2024 and claimed to have access to their data.
But Data Still Available
Reuters, however, claimed that it was able to download several documents through the chatbots, including policy and claims records. These documents contained personal details such as names, phone numbers, addresses, tax information, identification cards, medical test results and diagnoses, it added.
Reuters further said in its report that they were unable to independently verify the extent of xenZen's claims or the method by which the data was obtained, but the security researcher successfully downloaded over 1,500 files, some dating as recently as July 2024. The chatbots welcome message even warned, “If this bot gets taken down, watch out, another one will be made available in a few hours.”
Telegram’s Response
Soon after Reuters informed Telegram about the chatbots on September 16, 2024, the messaging network acted quickly, deactivating the bots within 24 hours.
Telegram spokeswoman Remi Vaughn acknowledged that though these chatbits had been disabled.
However, fresh bots providing Star Health data have since emerged.
Data Security In Digital World
The incident emphasises the greater issue of data security, particularly when using platforms such as Telegram.
Telegram enables users to store and exchange enormous quantities of data anonymously and its chatbot function has been largely credited with propelling the app to 900 million active monthly users. However, this same feature is also being exploited by criminals to distribute stolen data.
Among the leaked records was a claim filed by Pankaj Subhash Malhotra, which included ultrasound test results, illness details and copies of tax and national ID cards. Malhotra confirmed the authenticity of the leaked documents, stating that he had not been informed of any breach by Star Health.