Hacker Employs Telegram Chatbots to Expose Data from Star Health Insurance.

Stolen customer data, including medical reports, from India's largest health insurer, Star Health, is publicly available through chatbots on Telegram. This comes just weeks after the founder of Telegram was criticized for allowing the app to be used for criminal activities.

The alleged creator of the chatbots informed a security researcher, who then alerted Reuters, that private information of millions is for sale and that samples can be accessed by requesting the chatbots to reveal them.

Star Health and Allied Insurance, with a market capitalization exceeding $4 billion, stated to Reuters that it has reported the unauthorized data access to local authorities. They added that an initial assessment indicated "no widespread compromise" and assured that "sensitive customer data remains secure."

Through the chatbots, Reuters was able to access and download policy and claims documents that included names, phone numbers, addresses, tax information, ID card copies, test results, and medical diagnoses.

The platform's chatbot creation feature is often credited with contributing to Telegram’s rise as one of the largest messaging apps globally, boasting 900 million active monthly users.

However, the recent arrest of Russian-born founder Pavel Durov in France has heightened scrutiny over Telegram's content moderation and its features that can be misused for criminal activities. Durov and Telegram have denied any wrongdoing and are responding to the criticism.

The use of Telegram chatbots to sell stolen data illustrates the app's struggle to prevent malicious actors from exploiting its technology, and it underscores the challenges that Indian companies encounter in safeguarding their data.

The Star Health chatbots include a welcome message indicating they are "by xenZen" and have been active since at least August 6, according to UK-based security researcher Jason Parker.

Parker reported that he posed as a potential buyer on an online hacker forum, where a user with the alias xenZen claimed to have created the chatbots and to possess 7.24 terabytes of data concerning over 31 million Star Health customers. While the data is accessible for free through the chatbot in a random, fragmented manner, it is available for purchase in bulk.

Taken Down

During tests of the bots, Reuters downloaded over 1,500 files, some of which were dated as recently as July 2024.

The welcome message stated, "If this bot is taken down, be cautious—another one will be up in just a few hours."

Later, the chatbots were labeled as "SCAM" with a warning that users had flagged them as suspicious. On September 16, Reuters provided details about the chatbots to Telegram. Within 24 hours, spokesperson Remi Vaughn confirmed they had been "removed" and requested notification if more surfaced.

"Sharing private information on Telegram is strictly prohibited and is promptly removed when detected. Moderators employ a mix of proactive monitoring, AI tools, and user reports to eliminate millions of pieces of harmful content each day."

New chatbots have emerged that provide access to Star Health data.

Star Health reported that an unidentified individual contacted them on August 13, claiming to possess some of their data. The insurer informed the cybercrime department in Tamil Nadu and the federal cybersecurity agency, CERT-In, about the incident.

"The unauthorized acquisition and distribution of customer data is illegal, and we are actively collaborating with law enforcement to combat this criminal activity. Star Health emphasizes that protecting our customers' privacy is our top priority," the company stated.

In a stock exchange filing on August 14, Star Health, India's leading standalone health insurance provider, announced that it was investigating a potential breach involving "a few claims data."

Representatives from CERT-In and the Tamil Nadu cybercrime department did not respond to email inquiries.

Unawareness

Telegram allows users and organizations to store and share substantial amounts of data through anonymous accounts, as well as create customizable chatbots that automatically deliver content based on user requests.

Two chatbots are currently distributing Star Health data. One provides claim documents in PDF format, while the other enables users to request up to 20 samples from 31.2 million datasets with a single click, revealing details such as policy numbers, names, and even body mass index.

Among the documents shared with Reuters were records concerning the treatment of Sandeep TS's one-year-old daughter at a hospital in Kerala. The records included diagnoses, blood test results, medical history, and a bill of nearly 15,000 rupees ($179).

"This is concerning. Do you know how this could impact me?" Sandeep asked, confirming the authenticity of the documents. He noted that Star Health had not informed him of any data breach.

The chatbot also leaked a claim from last year by policyholder Pankaj Subhash Malhotra, which included ultrasound test results, details of his illness, and copies of federal tax documents and national ID cards. He confirmed the authenticity of these documents and stated he had not been notified of any security issues.

The Star Health chatbots are part of a larger trend where hackers use similar methods to sell stolen data. According to a survey conducted by NordVPN at the end of 2022, India accounted for the largest share of victims—12%—among the five million people whose data was sold via chatbots.

"The availability of sensitive data on Telegram is not surprising, as it serves as an easy-to-use storefront," noted NordVPN cybersecurity expert Adrianus Warmenhoven. "Telegram has become a more accessible platform for criminals to operate."