Star Health insurance breach and senior-official extortion (India, 2024)
A hacker using the alias xenZen exposed personal and medical data on 31.2 million Star Health customers via Telegram bots, alongside 5.76 million claims records. The leak escalated into a public extortion drama implicating a senior Star Health official.
- Victim
- Star Health and Allied Insurance
- Loss
- $30.0M
- records
- 31.2M
- users
- 31.2M
In August 2024, Star Health and Allied Insurance — India's largest standalone health insurer — became the centre of one of the country's most consequential data-breach scandals. A threat actor using the alias xenZen publicly claimed to have access to records on 31.2 million customers, exposed via custom Telegram bots that anyone could query.
What happened
By mid-2024, xenZen had stood up Telegram bots capable of returning customer data on demand: 31,216,953 customer records and 5,758,425 claim records. The data set was unusually rich, including PAN numbers, phone numbers, residential addresses, tax details, and medical records — exactly the combination India's emerging Digital Personal Data Protection Act is built to prevent.
What turned an already-bad breach into a national scandal was the extortion correspondence that xenZen subsequently published. According to the actor — corroborated by video evidence of email exchanges — the data was initially offered to a senior Star Health official for around $28,000. The official later demanded $150,000, with xenZen alleging that part of that demand was framed as compensation owed to senior management for allowing the leak to continue.
The implication of insider complicity transformed the story from a security failure into a governance and ethics scandal.
Impact
- 31.2 million customer records exposed, including PAN, address, tax, and medical data.
- 5.76 million claim records exposed.
- Telegram bots taken down in October 2024 by coordinated action of the Madras High Court, I4C, and the Indian cybercrime task force.
- Proposed ₹250 crore (~$30M USD) regulatory penalty under India's DPDP framework.
- Insider-involvement allegations against a senior official triggered governance reviews and class-action litigation.
Why it matters
The Star Health incident is the breach where India's data-protection regime grew up. The DPDP Act, which was still settling into its enforcement posture in 2024, was given a textbook reference case. And the implication of senior-management involvement reframed the public debate from "how secure are insurers' systems" to "how trustworthy are the people who run them".
Financial impact
Reported costs in USD
- Fines & settlements$30.0M
Timeline
Telegram bots are created to serve Star Health customer records — 31,216,953 customer records and 5,758,425 claim records.
An actor using the alias 'xenZen' publicly claims access to Star Health customer data, including PAN details, phone numbers, residential addresses, tax details, and medical records.
xenZen publishes video evidence of email correspondence with a senior Star Health official, alleging an initial $28,000 deal and a later $150,000 demand to keep the leak flowing — implicating insider involvement.
Madras High Court, Indian law enforcement, and the I4C cybercrime task force coordinate to take down the Telegram bots distributing the data.
Star Health faces a proposed ₹250 crore (~$30M) penalty under India's emerging Digital Personal Data Protection (DPDP) Act.
Sources
- bwhealthcareworld.comhttps://www.bwhealthcareworld.com/article/massive-data-breach-exposes-personal-information-of-31-crore-star-health-customers-535915
- indiatvnews.comhttps://www.indiatvnews.com/news/india/star-health-insurance-data-leak-data-of-31-million-customers-up-on-sale-for-150-000-2024-10-09-956357
- dpdpconsultants.comhttps://www.dpdpconsultants.com/newsletter.php?id=22&title=star-health-faces-250-cr-penalty-after-data-breach-raising-dpdp-concerns