The Star Health Insurance Data Breach has been in news for some time now. The Company also seems to have acknowledged the breach. As per this article in India Today, 31 million data principals might have been affected in the breach and the personal data is reportedly being sold online.
The the data has been accessed by an identity under the name xenZen who has also suggested that the data was sold for US $150000. The net price is as low as 38 paise per data set which is not realistic. The normal price for such data .
One indicative price list of data is as follows:
The type of data leaked in the Star Health breach is indicated as
- Full Name
- PAN No.
- Mobile No.
- Date of Birth
- Residential Address
- Insured Date of Birth
- Insured Name
- Gender
- Pre-existing Disease
- Policy Number
- Health Card
- Nominee Name
- Nominee Age
- Nominee Claim %
- Nominee Relationship
- Insured Height
- Weight
- BMI
The leak also indicates that the CISO of Star Health Management Mr Amarjeet sold the data but later tried to change the deal terms.
The hacker also invites journalists to contact him on his email for proof etc.
Data Breach is not new in India but what is strange in this instance is that the name of the CISO is given along with an indication that the management is also involved in the data breach.
There are several issues in this case which are beyond the scope of investigation by the Company itself. In fact the more company wants to investigate, it will vitiate the evidence in violation of law.
The value indicated is not realistic and hence there is a prima facie doubt that some body who wanted to frame the CISO and blame the company is involved in this data leak. In view of the doubts raised on the company and the CISO himself, an internal investigation is not reliable.
Further, the consideration involved is in US dollars and hence there is also a FEMA angle.
From all angles this is a case to be investigated by CBI and ED and extend to other employees of the Company as well as competitors of Star health Insurance who are the beneficiaries of this data leak.
The CERT In also has to start its investigation. However this investigation is beyond the scope of a single organization involved in Data Breach investigation.
We urge that CERT IN should file a complaint with CBI and ED to trigger an investigation , assist them in the investigation and find out the truth behind this data breach.
In the meantime, we re-iterate that the existence of “Proton Mail” kind of services and the dark web itself is the root cause for such crimes and the country as a whole should declare Proton Mail as a “Terror Outfit” and take up the investigation as a “Cyber Terrorism Case”.
There is an urgent need to completely ban Proton Mail in India and also ban the use of Tor browsers making it an offence to use them without license. The MHA should also look into this case and bring some fundamental changes to our legal system so that Cyber Crimes are not facilitated by the existence of dark web and its allies like the Proton Mail.
Naavi