Fraud Management & Cybercrime , Geo Focus: Asia , Geo-Specific

Star Health Refused to Pay $68,000 Ransom to Stop Data Leak

Hacker Emailed Star Health CEO With Ransom Demand Before Going Public
Star Health Refused to Pay $68,000 Ransom to Stop Data Leak
BSE, formerly the Bombay Stock Exchange, in Mumbai, India (Image: Shutterstock)

The feud between Indian insurance company Star Health and Allied Insurance Co. and a hacker who claims to have the data of 31.2 million insurance customers took another turn this weekend. The insurer revealed that the hacker demanded a $68,000 ransom before posting the data on a leak website.

See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare

The insurance company said in response to questions from BSE, formerly the Bombay Stock Exchange, on Saturday that the hacker sent multiple demands by email to CEO and Managing Director Anand Roy between Aug. 13 and 22, using the email addresses vladislav5533@outlook[.]com and vladislav5511@outlook[.]com.

After the company refused to pay the ransom, the hacker - who goes by the name xenZen - set up a website - starhealthscam[.]in - to announce the data leak to the public and post the data repository for sale.

But the email addresses in the company filing did not match the address on the data leak site. XenZen told Information Security Media Group on Monday that he did not demand any ransom from the company or send an email to the CEO. "Seems someone else hacked them too. That ransom email is not me," he said in an emailed response.

The insurance company said in its stock exchange filing that every time it worked with authorities to take down a data leak website, the hacker set up a new one to post samples of the stolen data and offer the repository for sale for $150,000.

The hacker also set up new bots on Telegram to leak the stolen data every time Telegram deleted existing bots at the request of Star Health. At the time of writing, xenZen continues to use a self-hosted website - starhealthleak[.]st - and two new bots to advertise customer data and insurance claims data to prospective buyers.

Star Health sued Telegram in the Madras High Court after it said the messaging service "refused to share the account KYC details or permanently ban the [threat actor's] accounts despite multiple notices." A hearing on the lawsuit is scheduled Oct. 25.

The hacker also told ISMG that he plans to attend the court hearing virtually to offer testimony. "I [have] seen that Star Health statement. They lied so much lol. I will join the court hearing and give all facts," he said.

The insurance company said it informed India's Insurance Regulatory and Development Authority and the federal cybersecurity investigations agency CERT-In about the material security incident as soon after it received a ransom demand.

Indian data privacy activist and CyberX9 Founder Himanshu Pathak has petitioned the Madras High Court to direct India's central government to act against Star Health Insurance over the data breach incident. A government representative told the court that only the IRDAI can conduct an enquiry into the security incident. The court has agreed to hear the petition.

The Insurance Regulatory and Development Authority of India did not immediately respond to Information Security Media Group's request for comment.

In addition to trying to sell the Star Health data, the hacker claims Star Health's chief information security officer - Amarjeet Khanuja - sold him the customer and claims data for $43,000 before reneging on the deal and demanding more money. Star Health said last week that the CISO is cooperating in the investigation and the company has not found any evidence of wrongdoing so far (see: Hackers' Claims About CISO Are Focus of Star Health Probe).


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.