Hacker uses Telegram chatbots to leak Star’s health insurance data

Stolen customer data, including medical reports from India’s largest health insurer, Star Health, is publicly available via chatbots on Telegram, just weeks after Telegram’s founder was accused of enabling the app to facilitate crimes.

The alleged creator of the chatbots told a security researcher who alerted Reuters to the issue that the private data of millions of people was up for sale and that samples could be viewed by asking the chatbots to reveal it.

Star Health and Allied Insurance, which has a market capitalization of more than $4 billion, said in a statement to Reuters that it had reported the alleged unauthorized access to local authorities. It said an initial assessment found “no widespread breach” and that “sensitive customer data remains secure.”

Using chatbots, Reuters was able to retrieve policy and claims documents containing names, phone numbers, addresses, tax details, copies of ID cards, test results and medical diagnoses.

The ability for users to create chatbots is widely credited with helping Dubai-based Telegram become one of the world’s largest messaging apps, with 900 million monthly active users.

But the arrest of Russian-born founder Pavel Durov in France last month has increased scrutiny of Telegram’s content moderation and features that are prone to abuse for criminal purposes. Durov and Telegram deny any wrongdoing and have addressed the criticism.

The use of Telegram chatbots to sell stolen data highlights how difficult it is for the app to prevent malicious actors from exploiting its technology, and highlights the challenges Indian companies face in keeping their data safe.

The Star Health chatbots display a welcome message saying they are “by xenZen” and have been operating since at least August 6, said Jason Parker, a British security researcher.

Parker said he posed as a potential buyer on an online hacker forum, where a user named xenZen said they had created chatbots and possessed 7.24 terabytes of data on more than 31 million Star Health customers. The data is freely available through the chatbot in a random, piecemeal fashion, but is sold in bulk.

Reuters could not independently verify xenZen’s claims or determine how the chatbot creator obtained the data. In an email to Reuters, xenZen said it was in talks with buyers, without disclosing who or why they were interested.

Taken down

As part of the bot tests, Reuters downloaded more than 1,500 files, some of which dated back to July 2024.

“If this bot goes down, be careful, we will be releasing another one in a few hours,” the welcome message read.

The chatbots were later flagged as “FRAUD” with a warning that users had reported them as suspicious. Reuters shared details about the chatbots with Telegram on September 16, and within 24 hours, spokesman Remi Vaughn said they had been “removed” and asked to be notified if more emerged.

“Sharing private information on Telegram is expressly prohibited and is removed when found. Moderators use a combination of proactive monitoring, AI tools, and user reporting to remove millions of pieces of harmful content every day.”

Since then, new chatbots have emerged offering Star Health data.

Star Health said it was contacted on August 13 by an unidentified person who claimed to have access to some of the data. The insurer reported the matter to the cybercrime department in its home state of Tamil Nadu and federal cybersecurity agency CERT-In.

“The unauthorized acquisition and distribution of customer data is illegal, and we are actively working with law enforcement to address this criminal activity. Star Health assures its customers and partners that their privacy is of paramount importance to us,” the statement reads.

In a stock exchange filing on August 14, Star Health, India’s largest player in the independent health insurance market, said it was investigating an alleged breach of security of “several claims data.”

Representatives from CERT-In and the Tamil Nadu Cybercrime Department did not respond to emailed requests for comment.

Unconscious

Telegram allows individuals or organizations to store and share large amounts of data through anonymous accounts. It also allows them to create customizable chatbots that automatically deliver content and features based on user requests.

Two chatbots distribute Star Health data. One offers claims documents in PDF format. The other lets users request up to 20 samples from 31.2 million data sets with a single click, providing details such as policy number, name and even body mass index.

Among the documents released to Reuters were records of the treatment of Sandeep TS, the insured’s 1-year-old daughter, at a hospital in the southern state of Kerala. The records included a diagnosis, blood test results, medical history and a bill for almost 15,000 rupees ($179).

“That sounds alarming. Do you know how it could affect me?” Sandeep said, confirming the authenticity of the documents. He said Star Health had not notified him about any data breach.

The chatbot also revealed a claim from last year’s policyholder Pankaj Subhash Malhotra, which included ultrasound results, medical details, and copies of his federal tax account and national identity cards. He also confirmed that the documents were authentic and said he had not been informed of any security breach.

Star Health’s chatbots are part of a broader trend of hackers using such methods to sell stolen data. Of the five million people whose data was sold via chatbots, India accounted for the largest number of victims, at 12%, according to NordVPN’s latest outbreak study, conducted in late 2022.

“The fact that sensitive data is accessible via Telegram is natural, as Telegram is an easy-to-use marketplace,” said NordVPN cybersecurity expert Adrianus Warmenhoven. “Telegram has become an easier method of interaction for criminals to use.”

(This story has not been edited by NDTV staff and is auto-generated from a feed.)