Star Health customers’ personal data leaked by hackers via Telegram chatbot

Stolen customer data, including medical reports from India’s largest health insurer, Star Health, was made public through chatbots on Telegram, just weeks after Telegram’s founder was accused of allowing the messaging app to facilitate crime.

The alleged creator of the chatbots told a security researcher who alerted Reuters to the issue that personal information from millions of people was being sold and that patterns could be viewed by asking the chatbots to reveal it.

Star Health and Allied Insurance, which has a market capitalization of more than $4 billion, said in a statement to Reuters that it had reported the allegations of unauthorized data access to local authorities. It said an initial review found “no widespread breach” and that “sensitive customer data remains secure.”

Using the chatbot, Reuters can download policy and claim documents that include names, phone numbers, addresses, tax information, copies of IDs, test results and medical diagnoses.

The ability for users to create chatbots is widely credited with helping Dubai-based Telegram become one of the world’s largest messaging apps with 900 million monthly active users.

However, the arrest in France of Russian founder Pavel Durov last month has increased scrutiny of Telegram’s content moderation practices and features that are vulnerable to criminal abuse. Durov and Telegram have denied wrongdoing and are addressing the criticism.

The use of Telegram chatbots to sell stolen data shows the app’s struggle to prevent bad actors from abusing the technology and highlights the challenges Indian companies face in keeping their data safe.

The Star Health chatbots have a welcome message stating they are “made by xenZen” and have been active since at least August 6, said UK-based security researcher Jason Parker.

Parker said he posed as a potential buyer on an online hacker forum, where a user known as xenZen said he had created chatbots and was in possession of 7.24 terabytes of data related to more than 31 million Star Health customers. The data was provided free of charge through the chatbots on a random, piecemeal basis, but was sold in bulk.

Reuters could not independently verify xenZen’s claims, nor could it determine how the chatbot’s creators obtained the data. In an email to Reuters, xenZen said it was in discussions with buyers, without disclosing who or why they were interested.

REMOVED

During testing of the bot, Reuters downloaded more than 1,500 files, some of which were dated as recently as July 2024.

“If this bot is taken down, be careful because another bot will appear in a few hours,” the welcome message reads.

The chatbots were then marked as “SCAM” with a warning that users had reported them as suspects. Reuters shared details of the chatbots with Telegram on September 16, and within 24 hours, spokesperson Remi Vaughn said they had been “taken down” and asked to be notified if more information emerged.

“Sharing private information on Telegram is strictly prohibited and will be removed whenever detected. Moderators use a combination of proactive monitoring, AI tools, and user reports to remove millions of pieces of harmful content every day.”

Since then, new chatbots have emerged to provide data on Star Health.

Star Health said an unidentified person contacted the company on August 13 claiming to have access to some of its data. The insurer reported the matter to the Tamil Nadu state cybercrime department and federal cybersecurity agency CERT-In.

“The unauthorized collection and dissemination of customer data is illegal and we are actively working with law enforcement to address this criminal activity. Star Health assures our customers and partners that their privacy is extremely important to us,” the company said in its statement.

In a stock exchange filing on August 14, Star Health, India’s largest independent health insurance provider, said it was investigating an alleged breach of “certain claims data.”

Representatives of CERT-In and the Tamil Nadu Cybercrime Department did not respond to emailed requests for comment.

DON’T KNOW

Telegram allows individuals or organizations to store and share large amounts of data behind anonymous accounts. It also allows them to create custom chatbots that automatically deliver content and features based on user requests.

Two chatbots deliver Star Health data. One provides claim documents in PDF format. The other allows users to request up to 20 samples from 31.2 million data sets with a single click, providing details including policy numbers, names, and even body mass index.

Among the documents leaked to Reuters were records relating to the treatment of insured Sandeep TS’s one-year-old daughter at a hospital in the southern state of Kerala. The records included diagnoses, blood test results, medical histories and a bill of nearly 15,000 rupees ($179).

“It sounds alarming. Do you know how this could affect me?” Sandeep said, confirming the authenticity of the documents. He said Star Health had not informed him of any data breach.

The chatbot also revealed a complaint filed last year by insured Pankaj Subhash Malhotra that included ultrasound scan results, medical details, and copies of federal tax returns and citizenship identification cards. He also confirmed the documents were authentic and said he was not aware of any security breach.

The Star Health chatbots are part of a trend of hackers using such methods to sell stolen data. Of the five million people whose data was sold via chatbots, India had the largest number of victims at 12%, according to the latest survey on the epidemic conducted by NordVPN in late 2022.

“The fact that sensitive data is available via Telegram is natural, as Telegram is an easy-to-use outlet,” said NordVPN cybersecurity expert Adrianus Warmenhoven. “Telegram has become a more user-friendly method for criminals to interact.”