Hacker uses Telegram chatbots to leak data of leading Indian insurer Star Health

Stolen customer data, including medical reports from India’s largest health insurer Star Health, is publicly accessible via chatbots on Telegram, just weeks after Telegram’s founder was accused of allowing the messaging app to facilitate crime.

The purported creator of the chatbots told a security researcher who alerted Reuters to the issue that the private details of millions of people were for sale and that samples could be viewed asking the chatbots to divulge.

Star Health and Allied Insurance, which has a market capitalization of more than $4 billion, said in a statement to Reuters that it had reported an alleged unauthorized access to data to local authorities. It said an initial assessment showed “no widespread compromise” and that “sensitive customer data remains secure.”

Using the chatbots, Reuters was able to download policy and claim documents containing names, phone numbers, addresses, tax details, copies of ID cards, test results and medical diagnoses.

The ability for users to create chatbots is widely credited with helping Dubai-based Telegram become one of the world’s largest messaging apps, with 900 million monthly active users.

However, the arrest of Russian-born founder Pavel Durov in France last month has increased scrutiny of Telegram’s content moderation and features open to criminal abuse. Durov and Telegram have denied wrongdoing and are addressing the criticism.

Telegram’s use of chatbots to sell stolen data demonstrates the difficulty the app has in preventing hapless agents from taking advantage of its technology and highlights the challenges Indian companies face in keeping their data safe.

Star Health’s chatbots feature a welcome message saying they are “from xenZen” and have been operational since at least August 6, UK security researcher Jason Parker said.

Parker said he presented himself as a potential buyer on an online hacker forum, where a user under the pseudonym xenZen said he made chatbots and had 7.24 terabytes of data related to more than 31 million Star Health customers. Data is free via the chatbot on a random, piecemeal basis, but is for sale in bulk.

Reuters could neither independently verify xenZen’s claims nor determine how the chatbot’s creator obtained the data. In an email to Reuters, xenZen said it had discussions with buyers without disclosing who or why they were interested.

Knocked down

In bot testing, Reuters downloaded more than 1,500 files with some documents dated as recently as July 2024.

“If this bot is removed, watch out and another one will be available in a few hours,” reads the welcome message.

The chatbots were later branded “SCAM” with a stock warning that users reported them as suspicious. Reuters shared details of the chatbots with Telegram on September 16, and within 24 hours, spokesman Remi Vaughn said they had been “taken down” and asked to be notified if more appeared.

“Sharing private information on Telegram is expressly prohibited and will be removed whenever found. Moderators use a combination of proactive monitoring, AI tools and user reports to remove millions of pieces of harmful content every day.”

Since then, new chatbots have emerged that provide Star Health data.

Star Health said an unidentified person contacted it on August 13 claiming to have access to some of its data. The insurer reported the issue to the cyber crime department of its home state Tamil Nadu and the federal cyber security agency CERT-In.

“The unauthorized acquisition and dissemination of customer data is illegal and we are actively working with law enforcement to address this criminal activity. Star Health assures its customers and partners that their privacy is of the utmost importance to us,” its statement said.

In an Aug. 14 stock market filing, Star Health, India’s largest player among stand-alone health insurance providers, said it was investigating an alleged breach of “some claims data.”

Representatives of CERT-In and the Tamil Nadu cyber crime department did not respond to emailed requests for comment.

Unconscious

Telegram allows individuals or organizations to store and share large amounts of data behind anonymous accounts. It also allows them to create customizable chatbots that automatically deliver content and features based on user requests.

Two chatbots share Star Health data. One provides claim documents in PDF format. The other allows users to request up to 20 samples from 31.2 million datasets with a single click, providing details including policy number, name and even body mass index.

Among the documents disclosed to Reuters were records related to the treatment of policyholder Sandeep TS’s one-year-old daughter at a hospital in the southern state of Kerala. The records include the diagnosis, blood test results, medical history and a bill of nearly 15,000 rupees ($179).

“It sounds worrying. Do you know how this can affect me?” Sandeep said, confirming the authenticity of the documents. He said Star Health did not notify him of any data leaks.

The chatbot also leaked a claim by policyholder Pankaj Subhash Malhotra last year, which included ultrasound test results, details of the illness and copies of his federal tax account and national identity cards. He also confirmed that the documents were genuine and said he had not been informed of any security breach.

Star Health’s chatbots are part of a wider trend of hackers using such methods to sell stolen data. Of the five million people whose data was sold through the chatbot, India accounted for the largest number of victims, with 12%, according to NordVPN’s latest epidemic survey at the end of 2022.

“The fact that sensitive data is available through Telegram is natural because Telegram is a user-friendly storefront,” said NordVPN cybersecurity expert Adrianus Warmenhoven. “Telegram has become a more user-friendly method for criminals to interact.”

(Reporting by Bing and Vengattil; Editing by Aditya Kalra and Christopher Cushing)