Hacker exploits Telegram chatbots to leak data from leading Indian insurer Star Health

This breach comes just weeks after the platform’s founder faced criticism for allowing its use in criminal activities, according to reports.

The alleged creator of these chatbots informed a security researcher—who subsequently notified Reuters—that private information of millions is available for purchase, with sample data accessible via chatbot requests.

Star Health and Allied Insurance, valued at over $4 billion, stated to Reuters that it has reported the unauthorized access to local authorities.

The company claimed that an initial investigation revealed "no widespread compromise" and assured that "sensitive customer data remains secure."

Through the chatbots, Reuters accessed over 1,500 files containing policy and claims documents, including names, phone numbers, addresses, tax information, ID copies, test results, and medical diagnoses.

Telegram's feature allowing users to create chatbots has contributed to its growth as a messaging platform, now boasting 900 million monthly active users.

However, the recent arrest of its founder, Pavel Durov, in France has raised concerns about the platform's ability to monitor content and prevent misuse.

Both Durov and Telegram have denied any wrongdoing and are addressing the criticism.

The use of Telegram for data sales highlights the platform's struggles to curb criminal exploitation and underscores the challenges faced by Indian companies in protecting their information, according to Reuters.

The chatbots, identified as "by xenZen," have been operational since at least August 6, Reuters reported, citing UK-based security researcher Jason Parker.

Parker engaged with a user named xenZen on a hacker forum, who claimed to have created the chatbots and possessed 7.24 terabytes of data related to over 31 million Star Health customers.

The data is available for free in small quantities via the chatbot, but is also offered for sale in bulk, as per reports.

While Reuters could not verify xenZen's claims or the source of the data, the chatbot creator indicated they were negotiating with potential buyers.

During testing, Reuters downloaded documents dated as recently as July 2024. A message from the chatbot warned, "If this bot gets taken down, another one will be available within hours."

After being flagged as a "SCAM" by users, Reuters reported the chatbots to Telegram on Monday (Sept. 16).

Within 24 hours, a spokesperson confirmed they had been taken down and requested notification if new ones appeared.

"The sharing of private information on Telegram is expressly forbidden and is removed whenever discovered," a Telegram spokesperson stated, noting their use of proactive monitoring and AI tools to combat harmful content.

Star Health disclosed that someone contacted them on August 13 claiming to have access to their data, prompting the insurer to inform Tamil Nadu's cybercrime department and CERT-In, India's federal cybersecurity agency.

They reaffirmed their commitment to customer privacy and cooperation with law enforcement.

In an August 14 stock filing, Star Health mentioned they were investigating an alleged breach involving "a few claims data," according to Reuters.

Telegram allows users to store and share extensive data anonymously and create customizable chatbots that deliver content based on user inquiries.

Two chatbots are currently distributing Star Health data, including claim documents and the ability to request samples from 31.2 million datasets with one click, Reuters reported.

Among the leaked documents were medical records related to a policyholder’s one-year-old daughter, containing diagnosis details and treatment bills, which the parent confirmed were authentic, reports said.

Another leaked claim included ultrasound results and personal information of another policyholder, who also verified the documents and stated he was unaware of any breach, as per reports.

This incident reflects a growing trend of hackers utilizing chatbots to sell stolen data, with a survey revealing that India represents 12 percent of the five million individuals whose data was sold in this manner, according to the Reuters report.