The hacker behind the leak of sensitive data affecting millions of Star Health customers has claimed that the company’s chief information security officer (CISO), Amarjeet Khanuja, granted access to user data via APIs (application programming interface).
The hacker, using the moniker ‘xenZen,’ has launched a website ‘Star Health Leaks’, with links to two self-hosted leak bots. FE reviewed these leak bots and was able to download policy documents of random Star Health customers that contained sensitive and private details such as names, full addresses, PAN information, phone numbers, details of dependents, policy coverage, and pre-existing conditions.
“Star Health management’s CISO, Amarjeet (as mc6), sold me all this data and later attempted to renegotiate the deal, claiming senior management wanted more money for continued backdoor access,” the hacker’s website alleges. The hacker also uploaded a video of the conversation, allegedly showing the CISO negotiating the deal.
“I have thoroughly analysed the video as a security researcher, and it doesn’t appear to be fake or tampered with. The emails load live as he browses them, ruling out the possibility of spoofing or editing,” Jason Parker, a UK-based cybersecurity researcher, told FE in an emailed response.
Parker added that the hacker has offered to demonstrate live, through screen-sharing, how he accesses the CISO’s emails. “If this were fake, he wouldn’t risk doing that, as it would expose him. I believe this matter needs to be investigated by an independent government agency,” he said.
Parker was the first to uncover the data breach at Star Health and tipped off Reuters last month while tracking the Chinese cyber threat actor ‘xenZen.’
On his website, the hacker claims to possess 7.24 TB data, including 6 million insurance claims. He displayed samples of 500 random users’ data, along with a list of government officials from Maharashtra Police, the income tax department, the CAG, and even India’s cybersecurity agency, the National Informatics Centre. The hacker is offering the entire dataset for sale at $150,000.
Star Health did not respond to FE’s request for comment regarding the alleged involvement of its CISO or the security measures the company has implemented to prevent such breaches from recurring. The company has also not made any disclosures to the stock exchange since Reuters first reported the data breach on September 20.
A Reuters report said Star Health, in response to its query, has said its CISO was cooperating in the investigation, which has so far found no evidence of his involvement.
Shares of Star Health closed at Rs 565.5 on the NSE on Thursday, down 2%.