The Star Health Insurance breach

A wake-up call as India prepares for the DPDP rollout

• Over 3 crore customers' data breached.
• $68,000 in ransom demands.
• False allegations by hackers to control the media narrative.

Star health breach:
What happened?

• Following a massive breach disclosed on Sept. 20, 2024, Star Health and Allied Insurance, a premium Indian health insurance company with a market valuation of approximately $4 billion, started grappling with a severe reputational and operational crisis.
• On Oct. 12, 2024, Star Health revealed that cybercriminals demanded a $68,000 ransom in exchange for access to the stolen confidential customer information, including sensitive medical records.

Who did it?

• The threat actor named xenZen, notorious for targeting Indian organizations, obtained sensitive credentials from the dark web and exploited critical vulnerabilities, thereby accessing sensitive data simply by manipulating URLs or queries.

Attack vectors

The top attack vectors involved in this breach are:

• Credential compromise
  Attackers used stolen or weak credentials to access critical systems. This often occurs through phishing or previously leaked credentials.
• Dark web exploitation
  Information like stolen credentials was sourced from the dark web. This highlights the importance of monitoring for leaked data.
• Web API vulnerability exploitation
  Vulnerabilities in web APIs allowed attackers to bypass security controls. Such exploits can lead to unauthorized access or data exfiltration.

Data breached

The compromised data included sensitive medical records, PII such as names, contact details, and insurance policy numbers, and in some cases, financial information.

Insider involvement?

• The hacker claimed that Star Health's Chief Information Security Officer (CISO) sold all the data and later tried to change the terms of their deal." —The Economic Times, Oct. 9, 2024
• This has been reported as a deliberate attempt to shift the narrative and sensationalize the issue by the threat actor.

Long-term impact

DPDP Act and scrutiny

If the Digital Personal Data Protection (DPDP) Act were fully enforced, Star Health Insurance would face severe scrutiny for its data handling practices. They could be subject to heavy fines for non-compliance with data protection laws, especially if negligence is found. The DPDP allows fines up to ₹500 crore for data protection violations.

What could have the organization done?

Though the methods used in breaches are becoming more sophisticated, cases like this can be avoided with necessary practices like dark web monitoring for sensitive credentials and vulnerability and risk management.

What’s next?

Stay tuned as we track cybersecurity trends and threats. Will quantum technology or deep learning be the next big disruptor? Our monthly series will keep you ahead of the curve.

Subscribe to our web stories. Receive snackable content on cyber news, trends, tools, and a lot more.