Skip to content
Data breachContained

Star Health insurance breach and senior-official extortion (India, 2024)

A hacker using the alias xenZen exposed personal and medical data on 31.2 million Star Health customers via Telegram bots, alongside 5.76 million claims records. The leak escalated into a public extortion drama implicating a senior Star Health official.

Victim
Star Health and Allied Insurance
Loss
$30.0M
records
31.2M
users
31.2M

In August 2024, Star Health and Allied Insurance — India's largest standalone health insurer — became the centre of one of the country's most consequential data-breach scandals. A threat actor using the alias xenZen publicly claimed to have access to records on 31.2 million customers, exposed via custom Telegram bots that anyone could query.

What happened

By mid-2024, xenZen had stood up Telegram bots capable of returning customer data on demand: 31,216,953 customer records and 5,758,425 claim records. The data set was unusually rich, including PAN numbers, phone numbers, residential addresses, tax details, and medical records — exactly the combination India's emerging Digital Personal Data Protection Act is built to prevent.

What turned an already-bad breach into a national scandal was the extortion correspondence that xenZen subsequently published. According to the actor — corroborated by video evidence of email exchanges — the data was initially offered to a senior Star Health official for around $28,000. The official later demanded $150,000, with xenZen alleging that part of that demand was framed as compensation owed to senior management for allowing the leak to continue.

The implication of insider complicity transformed the story from a security failure into a governance and ethics scandal.

Impact

  • 31.2 million customer records exposed, including PAN, address, tax, and medical data.
  • 5.76 million claim records exposed.
  • Telegram bots taken down in October 2024 by coordinated action of the Madras High Court, I4C, and the Indian cybercrime task force.
  • Proposed ₹250 crore (~$30M USD) regulatory penalty under India's DPDP framework.
  • Insider-involvement allegations against a senior official triggered governance reviews and class-action litigation.

Why it matters

The Star Health incident is the breach where India's data-protection regime grew up. The DPDP Act, which was still settling into its enforcement posture in 2024, was given a textbook reference case. And the implication of senior-management involvement reframed the public debate from "how secure are insurers' systems" to "how trustworthy are the people who run them".

Financial impact

Reported costs in USD

Total reported loss
30.0M
USD · $30,000,000
Ransom demanded
$150.0K
Ransom paid
Refused
  • Fines & settlements$30.0M

Timeline

  1. Telegram bots are created to serve Star Health customer records — 31,216,953 customer records and 5,758,425 claim records.

  2. An actor using the alias 'xenZen' publicly claims access to Star Health customer data, including PAN details, phone numbers, residential addresses, tax details, and medical records.

  3. xenZen publishes video evidence of email correspondence with a senior Star Health official, alleging an initial $28,000 deal and a later $150,000 demand to keep the leak flowing — implicating insider involvement.

  4. Madras High Court, Indian law enforcement, and the I4C cybercrime task force coordinate to take down the Telegram bots distributing the data.

  5. Star Health faces a proposed ₹250 crore (~$30M) penalty under India's emerging Digital Personal Data Protection (DPDP) Act.

Sources

  1. bwhealthcareworld.comhttps://www.bwhealthcareworld.com/article/massive-data-breach-exposes-personal-information-of-31-crore-star-health-customers-535915
  2. indiatvnews.comhttps://www.indiatvnews.com/news/india/star-health-insurance-data-leak-data-of-31-million-customers-up-on-sale-for-150-000-2024-10-09-956357
  3. dpdpconsultants.comhttps://www.dpdpconsultants.com/newsletter.php?id=22&title=star-health-faces-250-cr-penalty-after-data-breach-raising-dpdp-concerns

Related incidents

Data breachdisputed

MobiKwik data breach

An 8.2TB trove tied to Indian fintech MobiKwik — reportedly covering up to 99 million users with KYC documents, Aadhaar and card details — was advertised for sale on a dark-web forum, in a breach the company repeatedly denied.

Victim
MobiKwik
Records
99.0M
Data breachContained

Leak at Banque de France

On 23 November 2024, the threat actor Near2tlg advertised data allegedly stolen from France's central bank; the Banque de France denied any compromise of its secure systems, acknowledging only brief unauthorized access to an HR extranet with no sensitive data exposed.

Victim
Banque de France
Data breachResolved

Yonéma data breach (2024)

In November 2024, data from the Senegalese payment platform Yonéma was posted to a popular hacking forum. The data included 36k unique email addresses alongside phone numbers, names and what appears to be encrypted passwords and dates of birth.

Victim
Yonéma
Records
36.0K