Cybercrime , Fraud Management & Cybercrime , Geo Focus: Asia

Hacker’s Claims About CISO Are Focus of Star Health Probe

Exclusive Interview: Hacker xenZen Details Data Theft Affecting 31 Million in India
Hacker’s Claims About CISO Are Focus of Star Health Probe
Photo of Star Health CISO Amarjeet Khanuja from a guest column about digital transformation published in June (Image: Banking & Finance)

A data breach at a leading Indian private health insurer affecting millions of customers took an unexpected turn this week after the hacker posted samples of customer information on a leak website and accused the company's CISO of selling access to the data - and then trying to double-cross the hacker.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

In an exclusive interview with Information Security Media Group, the hacker - who uses the name "xenZen" - claims to have negotiated with the CISO for weeks through encrypted chat and paid him $43,000 to access customer and claims data of Star Health & Allied Insurance Co., which has a 33% share in India's retail health market. But the hacker claims the CISO was holding out for more.

"He broke deal with me and asked for more money," xenZen told ISMG. "In this industry, this is not how it works. I've other insiders working for years in other companies for me."

The hacker provided a link to a YouTube channel that purports to show his conversation with the CISO - Amarjeet Khanuja - but ISMG was unable to verify the authenticity of the video. Star Health told ISMG in a statement that it is investigating "a targeted, malicious cyberattack, resulting in unauthorized and illegal access to certain data" and it has so far found no evidence of wrongdoing on part of the CISO.

"We want to categorically mention that our CISO has been duly cooperating in the investigation, and we have not arrived at any finding of wrongdoing by him till date," a spokesperson said. "We request that his privacy be respected as we know that the threat actor is trying to create panic." Khanuja's LinkedIn account was inactive at the time of publication.

The insurance company said it is conducting a "thorough and rigorous forensic investigation" into the breach. The hacker claims to have 7.24 terabytes worth of personal data and insurance claims data affecting 31.2 million people. The company said it only has 20 million customers, but it did not comment on whether the data of former customers could have been compromised.

The hacker claims the stolen data repository contains customers' full names, dates of birth, addresses, gender, mobile phone numbers, tax ID numbers, email addresses, details of nominees, details of pre-existing diseases, and physical characteristics such as height, weight, and body mass index.

The hacker also claims to have 5.7 million insurance claims documents that contain customers' government identification information, detailed medical reports, insurance claim details, claim value and contact details.

The Star Health breach first came to light on Sept. 20 after the hacker made the data of millions of the insurance company's customers publicly accessible via chatbots on Telegram, and the company subsequently revealed that it had sued the hacker, Telegram and U.S. software company Cloudflare over the incident. Star Health alleged in its lawsuit that Cloudflare hosted the hacker-owned domains that contained customers' personal and healthcare information. Cloudflare later denied hosting the hacker-run website (see: Star Health Breach: Does Reputation Trump Patient Privacy?).

The threat actor initially posted a sample data of 500 lines of stolen information on a Cloudflare-hosted domain and offered to sell the entire database for $150,000. The hacker later switched to a self-hosted domain after Star Health obtained a court order to take down web domains and social channels that exposed the customer records.

It Started With a Meeting on Tox

In email responses to questions from ISMG, xenZen said that an anonymous user named "mc6" reached out to him through a contact named "denol" on Tox - an end-to-end encrypted, peer-to-peer instant-messaging and video-calling service - to sell Star Health data. The two negotiated and the hacker agreed to pay $28,000 in Monero cryptocurrency for the data.

The hacker said the seller set up a fake account on Star Health's internet portal and left open an API that gave the account's owner the rights to access and exfiltrate stored data.

After the deal went smoothly, the duo struck another deal worth $15,000 for Star Health customers' insurance claims data. XenZen said he paid the money but after a few days, the seller paused his access to the company's network and demanded that he pay another $150,000 for the claims data because the company's "senior management wants [a] cut to continue."

XenZen said he refused to pay more and instead hacked into the claims system. "Those noobs were not able to stop my access fully. Then I bypassed it after he broke deal and took all claims data," xenZen claimed.

The hacker posted a screenshare video on YouTube that shows the Tor conversation with the mc6 user in July and an email thread that lists Khanuja's email address as the sender on multiple messages. XenZen expressed frustration when he learned that the seller wants more money: "Are you kidding me? lol You want to scam me in this? … Don’t try to play these games. It will be very bad for you."

ISMG was unable to verify the authenticity of the Tor chats or email messages. Asked why a CISO would sell data to a cybercriminal using his work email address, the hacker responded, "Maybe he slipped and sent access details from his work email because he wasn't able to use that chat on his work computer to send me details. He mentioned that in chat too."

XenZen said he did not interact with any other Star Health executive during the negotiations that lasted less than a month. The hacker claims to have found buyers for the stolen data.

Attempts by ISMG to reach Khanuja were unsuccessful on Friday. Khanuja, who holds CISSP, CISM and CDPSE certifications, is listed as senior vice president and CISO at Star Health. He formerly worked with Oziel Consulting on RocketReach. He holds a degree in mechanical engineering from Shri G S Institute of Technology & Science and has skills in "program management, CRM, global delivery, IT service management, transition management and more."

In June, Khanuja authored a guest column in Banking & Finance about digital transformation strategies in the banking sector. The opinion piece includes comments about the importance of data protection.

"Building trust starts with transparency about how data is collected and used," Khanuja wrote. "Finally, equipping employees with the skills to handle data responsibly ensures compliance and safeguards customer information."


About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.