Cyber Attacks

Cyber Crime

Star Health Cyberattack: A Detailed Analysis of the $68,000 Ransom Demand and Data Leak

8 min read
Star Health Cyberattack: A Detailed Analysis of the $68,000 Ransom Demand and Data Leak

Introduction

In August 2024, Star Health and Allied Insurance, India's largest health insurer, fell victim to a sophisticated cyberattack resulting in the leak of sensitive customer data and medical records. The attacker, known as xenZen, demanded a ransom of $68,000 in exchange for ceasing further leaks of confidential information. The breach has caused a massive reputational and financial crisis for the company, with its market value declining and legal battles ensuing. This blog provides a comprehensive look at the timeline, technical details, and the overall impact of this significant cyberattack.

Overview of the Star Health Cyberattack

The cyberattack was first reported in September 2024 when it came to light that a hacker had been leaking sensitive customer data on platforms like Telegram using chatbots and a dedicated website. The leaked data included mobile numbers, addresses, medical conditions, tax details, and medical claims, affecting over 31.2 million customers. The hacker exploited vulnerabilities in Star Health's systems, leading to significant data breaches and exposing the personal information of its policyholders.

This leak sparked an immediate crisis, with Star Health shares dropping by 11% and the company launching internal investigations to mitigate the damage. The company also took legal action against Telegram and the hacker, whose website continued to share the leaked data. The incident not only exposed the company's cybersecurity weaknesses but also led to allegations against Amarjeet Khanuja, the Chief Information Security Officer (CISO), for potential involvement in the breach. However, Star Health maintains that its ongoing internal investigation has found no wrongdoing by Khanuja as of now.

Timeline of Key Events

Early August 2024: Initial Breach and Ransom Demand

  • August 13, 2024: Star Health executives received an email from the hacker, later identified as "xenZen," demanding a ransom of $68,000. The hacker claimed unauthorized access to sensitive customer data, including tax records and medical claim details. This email was addressed directly to the Managing Director (MD) and Chief Executive Officer (CEO).

  • August 14, 2024: Star Health notified key regulatory authorities such as CERT-In (Computer Emergency Response Team) and IRDAI (Insurance Regulatory and Development Authority of India). The company's Board of Directors and the Risk Management Committee were also informed of the breach. Star Health immediately launched an internal investigation, hiring independent cybersecurity experts to handle the matter.

Mid-August to Early September 2024: Escalation and Initial Response

  • August 22, 2024: The hacker set up a website, starhealthleak, to publicly display sample data of the company’s customers. The site posted around 500 samples containing personal data such as mobile numbers, addresses, and pre-existing medical conditions. Star Health promptly took down the website but faced ongoing challenges as the hacker created new sites, including starhealth.lol.

  • September 11, 2024: Star Health issued the first notice to Telegram, requesting the removal of bots created by the hacker to disseminate customer data. The hacker repeatedly created new bots after each takedown, making it nearly impossible to contain the leak via Telegram. Telegram declined to share Know Your Customer (KYC) details of the bot owners and did not permanently ban the accounts.

September 20, 2024: Public Exposure and Major Revelation

  • September 20, 2024: Reuters reported that over 3.1 crore (31 million) customers' sensitive data, including personal medical claims, had been leaked. According to UK-based cybersecurity researcher Jason Parker, a website created by the hacker showed email communications implicating a top Star Health official in the sale of this data. The leaked information was verified through Telegram bots and the hacker’s website.

  • Shares of Star Health dropped by 11% as the company grappled with a reputational crisis and growing concerns over the involvement of its Chief Information Security Officer (CISO), Amarjeet Khanuja.

  • September 23, 2024: The Tamil Nadu Police Cyber Crime Cell filed a First Information Report (FIR) following a complaint from Star Health. The company also filed a civil suit in the Madras High Court on September 22, 2024, which led to a court order directing third parties to disable access to leaked information.

  • September 27, 2024: Telegram announced that they had deleted the original bots sharing Star Health’s data. They also stated that a major sweep of harmful content on the platform had removed around 90% of the malicious content. However, self-hosted bots set up by the hacker made it difficult to completely eliminate the data leak.

  • October 3, 2024: Parker updated that the hacker, now self-hosting the bots, had made it nearly impossible to permanently shut down access to the leaked data. Despite ongoing legal action, the website continued to share sensitive information.

Technical Details of the Attack

The Star Health cyberattack was multifaceted, combining data theft, extortion, and the use of Telegram bots and websites to publicly leak sensitive information. Here’s a breakdown of the key technical aspects:

  • Data Exfiltration: The hacker, xenZen, gained access to Star Health’s customer database, which included personal data and medical claim documents of over 31 million individuals. The data also included details of 5.7 million claims, updated until early August 2024.

  • Telegram Bots: XenZen initially used Telegram bots to distribute customer data. These bots allowed users to search for and retrieve leaked data, including customer names, phone numbers, and medical records. The bot infrastructure was dynamic, with new bots being created every time Telegram took one down. By October 2024, the hacker had shifted to self-hosting the bots, making it nearly impossible to remove them permanently.

  • Web-Based Distribution: The hacker’s website, which shared samples of the leaked data, played a central role in the attack. Despite Star Health’s repeated efforts to take down the websites, the hacker created new ones with different domain names. The website also contained claims that the company’s CISO had directly sold the data, which Star Health vehemently denied.

  • Forensic Investigation: Star Health engaged third-party cybersecurity experts to conduct a comprehensive forensic analysis. These investigations focused on identifying the breach’s entry points, the extent of the data exfiltration, and whether any insiders were involved in the attack.

Impact on Star Health

Business and Financial Repercussions

  • Stock Price Decline: Star Health’s market value fell by 11% following the breach, and the company faced mounting pressure from shareholders and regulatory bodies. With a market cap of roughly $4 billion, the attack not only impacted their finances but also severely damaged their reputation.

  • Legal and Regulatory Challenges: The company filed complaints with both local authorities and regulatory bodies, including CERT-In and IRDAI, and pursued legal actions in the Madras High Court. The legal battles to suppress data leaks from Telegram and websites are ongoing.

  • Ransom Demand: The hacker demanded $68,000, but Star Health refused to engage in negotiations, a strategy endorsed by most cybersecurity experts to discourage future ransomware and extortion attempts.

Reputational Crisis

The public allegations that Star Health’s own CISO was involved in selling customer data intensified the company’s reputational crisis. Although the company strongly defended its officer, the damage was significant, especially since the leak contained extremely sensitive information, including medical histories and insurance claim documents.

Impact on Customers

More than 31 million customers had their personal data leaked. This included tax details, addresses, mobile numbers, and pre-existing medical conditions, putting them at risk of identity theft and fraud. The 5.7 million claims filed with Star Health that were compromised only added to the severity of the breach, as they contained highly confidential medical information.

Lessons Learned and Strategic Insights

The Star Health cyberattack underlines several key lessons for organizations, especially those in the healthcare and insurance sectors:

  1. Data Protection and Encryption: Organizations handling sensitive personal data must ensure that they have robust encryption protocols in place, particularly for personally identifiable information (PII) and sensitive health data.

  2. Advanced Threat Detection Systems: The use of Telegram bots and rapidly shifting web-based platforms highlights the need for advanced threat detection and real-time monitoring systems capable of identifying malicious activities, even across decentralized platforms.

  3. Incident Response and Preparedness: The timeline of the Star Health response demonstrates the importance of having a well-coordinated incident response plan. Immediate reporting to authorities, prompt internal investigations, and timely legal actions were key to managing the crisis, though more proactive measures could have helped mitigate the scale of the breach.

  4. Transparency and Communication: Companies facing major data breaches must maintain clear and transparent communication with customers, regulatory authorities, and stakeholders. Star Health’s swift notifications to regulators, though delayed for some key steps, are an example of this.

Conclusion

The 2024 cyberattack on Star Health has left a profound impact on the healthcare insurance industry in India. The use of Telegram bots, the involvement of an alleged insider, and the sheer volume of customer data leaked make this one of the most significant data breaches in recent times. The attack serves as a stark reminder of the evolving nature of cyber threats and the need for robust cybersecurity measures across all sectors. As Star Health continues its legal and forensic investigations, this incident will likely shape future cybersecurity strategies within the healthcare industry.

Want to write a blog?

Unfold your thoughts and let your ideas take flight in the limitless realm of cyberspace. Whether you're a seasoned writer or just starting, our platform offers you the space to share your voice, connect with a creative community and explore new perspectives. Join us and make your mark!

Join
← View all posts

Share

Twitter LinkedIn Facebook Whatsapp

Follow us on social media

Cyber Unfolded Light Logo
Loading status...
Copyright © 2024 CYUN. All rights reserved.
Terms of Use|Privacy Policy
Product of Cyndia