Stolen Star Health Customer Data Leaked via Telegram Chatbots
Stolen customer data, including medical reports from India’s largest health insurer, Star Health, has been made publicly accessible via chatbots on Telegram. This leak comes just weeks after Telegram’s founder, Pavel Durov, was accused of allowing the messenger app to facilitate criminal activities.
The creator of the chatbots, who goes by the alias xenZen, told a security researcher—who later informed Reuters—that private details of millions of people were available for sale, with sample data accessible through the chatbots.
Star Health’s Response
Star Health and Allied Insurance, whose market capitalization exceeds $4 billion, acknowledged the issue in a statement to Reuters. The company reported the alleged unauthorized data access to local authorities. However, Star Health’s initial assessment indicated “no widespread compromise” and stated that “sensitive customer data remains secure.”
Despite these assurances, Reuters was able to download policy and claims documents via the chatbots. The leaked documents featured personal details such as names, phone numbers, addresses, tax information, ID card copies, medical test results, and diagnoses.
Telegram’s Role in Data Leaks
Telegram has become one of the world’s largest messaging apps, with 900 million active monthly users. One key feature contributing to its success is the ability for users to create custom chatbots. However, this same feature has been exploited by criminals, raising concerns about the app’s content moderation and security features.
The arrest of Telegram’s Russian-born founder, Pavel Durov, in France last month has intensified scrutiny of the platform. While Durov and Telegram deny any wrongdoing, they are working to address the criticism surrounding their platform’s potential for abuse by criminals.
Operation of the Star Health Chatbots
The Star Health chatbots were identified by UK-based security researcher Jason Parker, who found that they had been operational since at least August 6, 2024. Posing as a potential buyer, Parker engaged with a user under the alias xenZen on a hacker forum. XenZen claimed to have created the chatbots and to possess 7.24 terabytes of data related to over 31 million Star Health customers. While some of the data was provided for free via the chatbots on a random, piecemeal basis, larger bulk data sets were available for sale.
Reuters was unable to independently verify xenZen’s claims or determine how the chatbot creator had obtained the data. In an email to Reuters, xenZen confirmed they were in discussions with buyers but did not disclose any further details.
Telegram’s Response and Subsequent Chatbot Removal
During their investigation, Reuters downloaded more than 1,500 files from the chatbots, with some documents dated as recently as July 2024. The chatbot’s welcome message even warned users that if the bot were taken down, another would become available within hours.
On September 16, Reuters shared details of the chatbots with Telegram. Within 24 hours, the company’s spokesperson, Remi Vaughn, confirmed that the chatbots had been “taken down.” Vaughn further emphasized that “the sharing of private information on Telegram is expressly forbidden” and that the platform uses AI tools, user reports, and proactive monitoring to remove millions of pieces of harmful content daily. Despite this, new chatbots offering Star Health data have since reappeared.
Star Health’s Investigation
Star Health revealed that an unidentified individual had contacted the company on August 13, claiming to have accessed some of its data. The insurer promptly reported the matter to the cybercrime department in Tamil Nadu, where the company is based, as well as to the federal cybersecurity agency, CERT-In.
In an August 14 stock exchange filing, Star Health, India’s largest standalone health insurance provider, disclosed that it was investigating an alleged breach of “a few claims data.” The company reiterated its commitment to customer privacy and its collaboration with law enforcement to address the criminal activity.
Impact on Customers
Telegram allows users to store and share large amounts of data behind anonymous accounts and enables the creation of chatbots to automatically distribute content. In this case, two chatbots were distributing Star Health data—one offering claim documents in PDF format and the other providing up to 20 samples from a database of 31.2 million records, which included policy numbers, names, and even body mass index information.
Among the leaked documents, Reuters found records related to the treatment of a one-year-old girl, the daughter of policyholder Sandeep TS, at a hospital in Kerala. Sandeep confirmed the documents’ authenticity and expressed concern, stating, “It sounds concerning. Do you know how this can affect me?” He also noted that Star Health had not notified him of any data breach.
Another policyholder, Pankaj Subhash Malhotra, whose claim data—including ultrasound results, illness details, and copies of his federal tax and national ID cards—was also leaked, confirmed the accuracy of the documents. Like Sandeep, he was not informed of any security breach.
Broader Implications of Telegram-Based Data Leaks
The use of Telegram chatbots for selling stolen data is not an isolated incident. A survey conducted by NordVPN at the end of 2022 revealed that of five million people whose data was sold via chatbots, 12% were from India, making it the largest group of victims.
According to NordVPN cybersecurity expert Adrianus Warmenhoven, “The fact that sensitive data is available via Telegram is natural because Telegram is an easy-to-use storefront. It has become a convenient method for criminals to interact.”
This incident underscores the challenges Indian companies face in securing sensitive data, especially in the digital age where platforms like Telegram are increasingly being used for illicit activities.
