Star Health Insurance CISO sold customer data, hacker claims

Just when it seemed like the dust was beginning to settle, the Star Health data breach took a dramatic and shocking turn. According to claims from the hacker behind the breach, Amarjeet Khanuja, the chief information security officer (CISO) of Star Health and Allied Insurance, allegedly sold sensitive customer data for $150,000.

The hacker, known as xenZen, further accused Khanuja of later attempting to change the deal terms, suggesting that the company’s senior management demanded more money for ongoing backdoor access.

“Star Health management CISO (Chief information security officer) Amarjeet (as mc6) sold all this data to me and then attempted to change deal terms saying senior management of the company needs more money for backdoor access,” the hacker wrote on his website. “This leak is sponsored by Star Health and Allied Insurance Company, who sold this data to me directly.”

A text message query to Khanuja elicited no response.

The breach exposed over 7.24 terabytes of sensitive customer information including highly personal information such as full names, PAN and mobile numbers, email addresses, dates of birth, residential addresses, pre-existing medical conditions, policy numbers, nominee details, and even the height and weight of insured individuals.

The hacker’s revelations have gone viral on social media, with a post by a user named Deedy Das who shared an alleged email exchange between Khanuja and the hacker. According to the post, Khanuja, in his capacity as CISO, brokered the sale of Star Health’s customer data, delivering the treasure trove of private details to the hacker. The data reportedly fetched a price of $150,000.

In a stunning twist, the hacker has alleged that after the transaction was completed, Khanuja attempted to alter the deal, stating that Star Health’s senior management wanted more money in exchange for continued backdoor access to the company’s systems.

If proven true, the claim would indicate a staggering breach of internal security protocols and ethical standards, bringing serious legal and reputational consequences for the insurer.

“We acknowledge that we were the victim of a targeted malicious cyberattack, resulting in unauthorized and illegal access to certain data,” Star Health and Allied Insurance said in a statement. “We make it absolutely clear that our operations remain unaffected, and all services continue without disruption.”

However, these new revelations about internal complicity within Star Health’s leadership raise critical concerns about the company’s security practices and ethics. If true, it points to a deep-rooted vulnerability in the company’s internal data governance.

“We also want to categorically mention that our CISO has been duly co-operating in the investigation and we have not arrived at any finding of wrongdoing by him to date. We request that his privacy be respected as we know that the threat actor is trying to create panic. We also want to emphasize that any unauthorized acquisition, possession, or dissemination of customer data is illegal,” Star Health said.

The fallout and investigation

The data breach first came to light in August 2024, when chatbots on Telegram were found offering the compromised data to users.

At the time, Star Health had claimed in its statements that there was “no widespread compromise” of sensitive customer data, a position that now appears increasingly untenable in light of these new allegations.

On Thursday, the insurance company said a thorough and rigorous forensic investigation led by independent cybersecurity experts is currently underway.

“We are closely working with government and regulatory authorities at every stage of the investigation,” the statement added.

The company had previously reported the breach to the cybercrime department of Tamil Nadu and the national cybersecurity agency CERT-In. The management’s alleged involvement in this security incident will undoubtedly cast a dark shadow over ongoing investigations and will likely lead to even more intense scrutiny from regulators and law enforcement agencies.

The breach had already prompted significant concerns about the company’s data security infrastructure and its ability to safeguard sensitive medical and personal information. With these new claims, the spotlight will intensify on how well Star Health vets its internal staff and controls access to critical customer data.