Star Health Insurance Data Leak: A Tale of Scandal, Cybercrime, and Disinformation

Breaking Down the Events of a High-Stakes Data Breach – Allegedly with Video Proof Inside the Star Health Data Breach: Allegations, Deals, and Disinformation

Introduction

In the complex world of cybercrime, insider conspiracy and breaches of trust are as dangerous as technical vulnerabilities. The Star Health Insurance data breach, which has rocked the Indian cybersecurity landscape, is a case that blurs the lines between fact and fiction. Allegations have surfaced against the CISO of Star Health Insurance, Amarjeet Khanuja, accusing him of leaking sensitive data to a hacker known as xenZen. But as with many cyber incidents, there’s more to this story. Let’s dive into the timeline of events outlined by xenZen, the hacker, who claims to have video proof of the alleged collaboration.

The Alleged Hacker’s Story – Events with “Video Proof”

1. Initial Contact – July 6, 2024:

According to xenZen, the breach started when Amarjeet Khanuja, Star Health’s CISO, reached out to him on July 6, 2024, through a referral from another hacker named Denol. The conversation took place on the encrypted chat platform Tox, where Khanuja supposedly initiated the discussion, seeking to sell sensitive customer data from Star Health’s systems.

2. The First Deal – July 6, 2024:

xenZen claims that after some negotiation, he agreed to pay $28,000 in Monero (xmr), a cryptocurrency known for its privacy features, in exchange for customer data. Khanuja, apparently unaware of Bitcoin’s traceability and unfamiliar with the concept of escrow, chose Monero for the transaction. Following the agreement, the payment was done on July 08 and Khanuja allegedly provided login credentials and an API endpoint on the hacker's Proton Mail. Upon receiving the payment, the hacker gained access to Star Health’s customer data.

3. The Second Deal – July 20, 2024:

Not long after the first transaction, Khanuja allegedly returned with another offer. This time, he proposed selling insurance claims data from Star Health’s database. xenZen, agreed to the deal after checking the sample data for one day, repeating the earlier process, made a payment of $15,000 and successfully obtained another significant portion of sensitive data.

4. The Ransom Demand – July 25, 2024:

Just five days after the second deal, xenZen’s access to Star Health’s systems was suddenly revoked. When the hacker confronted Khanuja, he was told that he had already extracted 5TB of data, and now the senior management of Star Health wanted a cut. The CISO allegedly demanded $150,000 to reinstate the hacker’s access.

5. The Hacker’s Warning – July 25, 2024:

Angered by this sudden demand for more money, xenZen reportedly asked for a refund or a resolution. With no response from Khanuja, the hacker issued a final warning but received no further communication.

6. The Data Leak – September 25, 2024:

On September 25, 2024, xenZen launched the starhealthleak website, which contained Star Health’s customer and claims data for sale. The website featured two Telegram bots that allowed interested buyers to purchase specific data sets, with full customer data priced at $150,000 and smaller, customizable sets available for $10,000 each.

For more details, refer to this 👇🏻👇🏻 video posted by the hacker on the website, claiming to reveal Khanuja’s involvement.

Star Health’s Official Response

Amid these severe allegations, Star Health Insurance has provided an official response, rejecting claims of insider collusion. Here’s their account of events:

1. September 20, 2024 – Official Statement:

Star Health issued a statement confirming that they had suffered a data breach. However, they stressed that no evidence had been found to support the hacker’s claims that their CISO, Amarjeet Khanuja, was involved. The company hired independent third-party investigators to assess the situation.

2. October 12, 2024 – Denial of Insider Involvement:

Star Health acknowledged the theft of sensitive customer and claims data but categorically denied the hacker’s assertion that Khanuja was involved in any illegal activity. They disclosed receiving a ransom demand for $68,000 but did not comply. The company’s focus has remained on fortifying its defences and cooperating with law enforcement.

Debunking the Hacker’s Claims – CloudSEK’s Investigation

To clarify the situation, CloudSEK, a cybersecurity firm, conducted a thorough investigation. Here’s what they uncovered:

1. Fabricated Insider Involvement:

CloudSEK’s investigation revealed that the hacker had manipulated email evidence using HTML code, making it appear that Khanuja was behind the data leaks. This technique, often called the “inspect element” trick, allowed the hacker to create a fake email chain that appeared legitimate.

2. Stolen Credentials from Previous Breach:

The credentials xenZen claimed Khanuja provided were taken from a previous data breach unrelated to Star Health. The hacker used these credentials to exploit an Insecure Direct Object Reference (IDOR) vulnerability in Star Health’s systems.

3. Misinformation and Manipulation:

CloudSEK’s report pointed out that xenZen had a history of spreading misinformation and had likely targeted Star Health for financial and geopolitical reasons. The hacker’s goal was not just monetary gain but to cause chaos and undermine trust in Indian institutions.

For further details on CloudSEK’s findings, read the full report here.

Final Thoughts: The Bigger Picture

The Star Health breach is a stark reminder that cyber threats are not limited to technological vulnerabilities. Insider threats, misinformation campaigns, and social engineering can all play a role in modern cyberattacks. As this case shows, it is often difficult to separate fact from fiction when both sides present conflicting narratives.

Key Lessons:

1. Secure APIs:

This breach highlights the importance of API security. Companies must protect APIs to ensure unauthorised users cannot exploit them for malicious purposes.

2. Be Wary of Disinformation:

As seen in this case, disinformation is becoming a standard weapon in cybercrime. Companies must be prepared to respond to cyberattacks, manage the narrative, and effectively counter false claims.

3. Crisis Management and Transparency:

Handling a breach requires transparency and a clear communication strategy. Organisations must proactively engage the public and cooperate with investigators to mitigate the damage caused by such attacks.

Conclusion

The Star Health data breach is more than just a technical incident. It involves elements of social engineering, misinformation, and insider accusations, making it a case study in the multifaceted nature of modern cyberattacks.

Came so far reading? Hold On, there's another angle about this case on our YouTube channel; subscribe to it because it will be worth watching.

I'd like you to watch the detailed video about this leak in Hindi here.

-Shivam Dharpure
Founder & Director
Visionary Bose Pvt. Ltd.