Parker said he posed as a potential buyer on an online hacker forum where a user under the alias xenZen said he created the chatbots and possessed 7.24 terabytes of data relating to more than 31 million Star Health customers.
Stolen customer data, including medical records from India’s largest health insurer Star Health, is publicly accessible through chatbots on Telegram, just weeks after Telegram’s founder was accused of allowing the messaging app to facilitate the crime.
The purported creator of the chatbots told a security researcher, who alerted Reuters to the issue, that millions of people’s private details were for sale and that samples could be seen by asking the chatbots to divulge them.
Star Health and Allied Insurance, whose market capitalisation exceeds $4 billion, said in a statement to Reuters that it had informed local authorities of suspected unauthorised access to data. It added that an initial assessment showed “no widespread breach” and that “sensitive customer data remains secure”.
Using chatbots, Reuters was able to download policy and claims documents that included names, phone numbers, addresses, tax information, copies of IDs, test results and medical diagnoses.
Dubai-based Telegram is widely credited with giving users the ability to create chatbots, and has become one of the world’s largest messaging apps with 900 million monthly active users.
However, the arrest of Telegram founder Pavel Durov, a Russian native, in France last month has increased scrutiny over Telegram’s content moderation and features that can be abused for criminal purposes. Durov and Telegram have denied wrongdoing and are responding to criticism.
Telegram’s use of chatbots to sell stolen data demonstrates the app’s struggle to prevent malicious actors from exploiting its technology and highlights the challenges Indian companies face in keeping their data secure.
Star Health’s chatbots feature a welcome message stating they are “from xenZen” and have been operational since at least Aug. 6, said U.K. security researcher Jason Parker.
Parker said he posed as a potential buyer on an online hacker forum where a user with the alias xenZen said he had created the chatbots and was in possession of 7.24 terabytes of data relating to more than 31 million Star Health customers. The data is obtained for free through the chatbot in a random and fragmented manner, but is sold in bulk.
Reuters could not independently verify xenZen’s claims or determine how the chatbot’s creator obtained the data. In an email to Reuters, xenZen said it was in talks with buyers without disclosing who or why they were interested.
Felled
While testing the bots, Reuters downloaded more than 1,500 files, with some documents dated as early as July 2024.
“If this bot is removed, be careful; another one will be available in a few hours,” the welcome message said.
The chatbots were later labelled as “SCAM” with a warning that users had reported them as suspicious. Reuters shared details of the chatbots with Telegram on 16 September and within 24 hours spokesman Remi Vaughn said they had been “removed” and asked to be informed if more appeared.
“Sharing private information is expressly prohibited on Telegram and is removed as soon as it is detected. Moderators use a combination of proactive monitoring, AI tools, and user reports to remove millions of pieces of harmful content every day.” New chatbots offering Star Health data have since appeared.
Star Health said an unidentified person contacted them on August 8.
Thirteen people claimed to have access to some of her data. The insurer reported the matter to the cybercrime department of her home state, Tamil Nadu, and to the federal cybersecurity agency CERT-In.
“The unauthorized acquisition and dissemination of customer data is illegal and we are actively working with law enforcement to address this criminal activity. Star Health assures its customers and partners that their privacy is of utmost importance to us,” it said in its statement.
In an Aug. 14 stock exchange filing, Star Health, India’s largest player among standalone health insurance providers, said it was investigating an alleged breach of “some claims data.”
Representatives of CERT-In and the Tamil Nadu cybercrime department did not respond to emailed requests for comment.
Unconscious
Telegram allows individuals and organizations to store and share large amounts of data in anonymous accounts. It also lets them create customizable chatbots that automatically deliver content and features based on user requests.
Two chatbots distribute Star Health data. One offers claims documents in PDF format. The other allows users to request up to 20 samples from 31.2 million data sets with a single click, providing details such as policy number, name and even body mass index.
Among the documents disclosed to Reuters were records relating to the treatment of insured Sandeep TS’s one-year-old daughter at a hospital in the southern state of Kerala. The records included diagnosis, blood test results, medical history and a bill for nearly 15,000 rupees ($179).
“It sounds worrying. Do you know how this can affect me?” Sandeep said, confirming the authenticity of the documents. He added that Star Health had not notified him of any data breach.
The chatbot also leaked a claim from last year of policyholder Pankaj Subhash Malhotra, which included ultrasound imaging test results, disease details and copies of federal tax bill and national identity documents. It also confirmed that the documents were genuine and said it was not aware of any security breach.
Star Health’s chatbots are part of a broader trend of hackers using these methods to sell stolen data. Of the five million people whose data was sold via chatbots, India accounted for the largest number of victims (12%), according to NordVPN’s latest epidemic survey conducted in late 2022.
“The fact that sensitive data is available via Telegram is natural, because Telegram is a user-friendly platform,” said NordVPN cybersecurity expert Adrianus Warmenhoven. “Telegram has become an easier-to-use method for criminals to interact.”
(Only the headline and image of this report may have been reworked by Business Standard staff; the rest of the content is auto-generated from a syndicated feed.)
First published: September 20, 2024 | 10:28 am IS
Disclaimer:
The information contained in this post is for general information purposes only. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the post for any purpose.
We respect the intellectual property rights of content creators. If you are the owner of any material featured on our website and have concerns about its use, please contact us. We are committed to addressing any copyright issues promptly and will remove any material within 2 days of receiving a request from the rightful owner.