Star Health data breach: Scope for mammoth scams amid few legal remedies?

At its focal point is a breached database containing sensitive information of over 2% of India’s population, giving scammers access to a vast gamut of data that can now be misused across the board.

On 25 September, a cyber attacker bearing the alias ‘xenZen’ posted a database using automated chatbots powered by social media platform Telegram. The database contained personal information of 31 million users, along with 5.8 million entries of insurance claims. The entire dataset was put up for sale at $150,000 ( ₹1.26 crore).

The dataset, according to two senior cyber security researchers Mint spoke with, included sensitive details such as residential addresses, salaries and health records. Mint also viewed a sample of the database that the hacker put up on an encrypted platform.

Star Health and Allied Insurance Co. Ltd’s shares fell 2% on Thursday to close at ₹566.65 apiece on BSE. The company, which reported operating revenue of $1.81 billion for FY24, says it has about 20 million customers. Credit rating agency India Ratings said earlier this month that Star Health accounted for one-third of all individual health insurance policies across India.

Also read |How safe is safe enough? Heed RBI on cyber security and risk reduction.

Industry veterans said the impact of the breach could be exponential—both for consumers as well as for Star Health.

“There are two key customers of personal data—cyber scammers, and targeted marketing professionals. For scammers, such sensitive data can lead to spear phishing—scams where the malicious threat actor divulges key personal information that makes an unsuspecting victim trust the individual, ahead of being scammed for vast amounts," said Lalit Kalra, partner for cyber security at consultancy firm EY India.

Kalra added that a key impact for Star Health would be in its enterprise relations. “For the average consumer, memory is short-lived. However, for Star Health, its enterprise revenue may take a significant long-term beating due to the impact of such a breach—due to how such an incident reflects on a user’s trust," he said.

A Star Health spokesperson acknowledged that the company was “the victim of a malicious cyber attack."

“A thorough and rigorous forensic investigation, led by independent cyber security experts, is underway. We are working closely with government and regulatory authorities at every stage of this investigation, including by duly reporting the incident to the insurance and cybersecurity regulatory authorities—apart from filing a criminal complaint," the spokesperson said.

“We also approached the Madras High Court, which in the attached order has directed all (including certain third) parties to disable access to the relevant information."

Also read |Star Health firm on profitability path amid rising competition

‘Complete havoc’

The breach comes at a time when the cost of an average data breach for this year around the world increased 10% annually to $4.88 million ( ₹41 crore).

It is impossible to scrub the internet of data that has already been stolen. A key reason for this is that once stolen, databases are replicated across multiple parties, making it practically impossible for any cyber security investigator or legal entity to find and erase all data associated with a breach.

“The simple logic is that the more sensitive a database is today, the more expensive it is, too. Further, while there are fraudulent claims aplenty in terms of data breaches, it is unlikely that claims of significant data such as health records are misleadingly made. The simple reason for that is that such data is rare, and thus, expensive to access for attackers," said a senior cyber security researcher, who requested anonymity citing the sensitivity of the issue.

“The widespread impact of this breach cannot quite be fathomed at this moment—if a scammer with intent accesses health and hospitalization records of individuals, such data can create complete havoc," the cyber security researcher added.

Inconsistent protections

Compounding the impact of the data breach is the fact that legal remedies to theft of personal data remain inconsistent in India. The dedicated Digital Personal Data Protection Act, 2023—notified in Parliament in August last year—is still to be enforced. In its absence, the Information Technology Act, 2000 is the sole dedicated law for such an issue.

Pawan Duggal, cyber lawyer at Supreme Court of India, said that while there are specific sections in the IT Act, 2000 that enable legal remedies, much remains to be done.

“Section 43A of the IT Act allows individuals to file for damages of up to ₹5 crore with an adjudicating authority for the loss of personal data. There are also criminal charges under the Bharatiya Nyaya Samahita, as well as consumer trust sections under Consumer Protection Act, 2019, that citizens can leverage to seek reparations for damages incurred due to this loss of data, citing negligence on behalf of a company," Duggal said.

“However, the adjudicating authorities are government secretaries crunched for time—on this note, such cases are very slow-moving, highlighting the need for dedicated cyber courts in India," he added.

Also read |How safe is safe enough? Heed RBI on cyber security and risk reduction.

Duggal further said that while establishing a dedicated Data Protection Board under the DPDP Act, 2023 may speed up matters, “it remains to be seen how rules under the DPDP Act implement the actions of the Board—a right strategy can give consumers an effective remedy, while the current one is slow and ineffective".

Duggal added that with India’s upcoming DPDP Act enforcing fines of ₹250 crore ($29.8 million) per person’s data theft on a company, the significance of stringent cyber security measures and restrictions of wrongdoing may be tightened further.