Star Health Insurance’s sensitive customer data leaked on Telegram chatbots, raises concerns

Customer data, which includes medical reports from Star Health and Allied Insurance Ltd, is publicly accessible via chatbots on Telegram just weeks after the Telegram Founder was accused of allowing the messenger app to facilitate crime, news agency Reuters reported on Friday, September 20.

The alleged creator of the chatbots told a security researcher, who alerted the agency of the development. According to the report, the private details of millions of people were for sale, and samples could be viewed by asking the bots to disclose them.

Star Health and Allied Insurance told Reuters in a statement that the company reported alleged unauthorized data access to local authorities. The company disclosed in an initial statement that "no widespread compromise" happened and that “sensitive customer data remains secure”.

According to the report, the agency downloaded policy and claim documents featuring names, phone numbers, addresses, tax details, copies of ID cards, test results, and medical diagnoses using chatbots.

The feature enables users to create chatbots and has made Telegram one of the biggest messenger apps, with 900 million active monthly users, reported the agency.

Using chatbots in Telegram to sell stolen data shows the app's difficulty in preventing criminal agents from taking advantage of its technology. According to the report, this also highlights the challenges Indian companies face in keeping their data safe.

UK-based researcher Jason Parker said that the Star Health chatbots feature a welcome message stating they are "by xenZen" and have been operational since August 6.

Parker posed as a potential buyer on an online hacking forum, where a user under the alias xenZen said that they made the chatbots and possessed 7.24 terabytes of data related to over 31 million Star Health customers, reported the agency. The data is free through the chatbot on a random, piece-by-piece basis but also for sale in bulk form, said the report.

The agency could not independently verify these claims nor determine how the chatbot creator got the data. In an email to the agency, xenZen said they were discussing with buyers without disclosing who or why they were interested.

Star Health and Allied Insurance Company Ltd shares closed 1.76 per cent higher at ₹617 after Friday's trading session, compared to ₹606.35 at the previous market close.

Chatbot offerings

The news agency downloaded over 1,500 files, some of which were documents dated as recently as July 2024. According to the report, the welcome message from the bot read, “If this bot gets taken down, watch out; another one will be made available in a few hours."

These chatbots were later marked as “Scam” with a stock warning that users had reported them as a suspect. Telegram has “taken down” the chatbots and asked to be informed if more appeared after the agency shared details of them with Telegram on September 16, according to spokesperson Remi Vaughn, quoted in the report.

“The sharing of private information on Telegram is expressly forbidden and is removed whenever it is found. Moderators use a combination of proactive monitoring, AI tools and user reports to remove millions of pieces of harmful content each day.”

New chatbots have since started offering Star Health data. The company said that an unidentified person contacted them on August 13, claiming that they had access to some of the data. According to the report, Star Health reported the issue to Tamil Nadu's cybercrime department and federal cyber security agency CERT-In.

“The unauthorized acquisition and dissemination of customer data is illegal, and we are actively working with law enforcement to address this criminal activity. Star Health assures its customers and partners that their privacy is of paramount importance to us,” Star Health said in its statement.

The report said representatives of CERT-In and the Tamil Nadu Cybercrime Department refused to respond to email requests for queries.

Policyholders unaware

Telegram allows people to store and share large amounts of data behind anonymous accounts. It also lets people create customizable chatbots that provide content and features based on user requests, according to the agency report.

Two chatbots offer Star Health data: one offers documents in PDF format, and the other allows users to request up to 20 samples from 31.2 million datasets with a single click, giving details including policy number, name, and body mass index (BMI).

The documents disclosed to the agency were the records of treatment of the one-year-old daughter of the policyholder Sandeep TS at a Kerala hospital. The leaked records included diagnosis, blood test results, medical history and a bill of nearly ₹15,000.

“It sounds concerning. Do you know how this can affect me?” Sandip told the agency confirming the authenticity of the leaked documents. Star Health has not notified him of any data leak.

The report said the chatbot also leaked a claim from policyholder Pankaj Subhash Malhotra last year. The claim included ultrasound imaging test results, details of illness, and copies of federal tax accounts and national ID cards. Malhotra also confirmed the authenticity of the documents and said that the company did not make him aware of any security threat to the report.

This is part of a broader trend of hackers using similar methods to sell stolen data. Out of five million people whose data was sold through chatbots, India made up 12 per cent of victims, as per a NordVPN survey 2022, cited in the report.

“The fact that sensitive data is available via Telegram is natural, because Telegram is an easy-to-use storefront,” Adrianus Warmenhoven, cybersecurity expert at NordVPN told the agency. “Telegram has become an easier to use method for criminals to interact.”