Star Health Sues Telegram Over Data Breach
The Indian insurance company Star Health, with a market capitalization exceeding $4 billion, has filed a lawsuit against the messaging platform Telegram and a hacker after Reuters reported that the hacker used the platform’s chatbots to illegally disseminate personal data and medical reports of its clients.
The lawsuit was filed amid heightened scrutiny of Telegram following the arrest of its founder, Pavel Durov, in France. Durov is accused of facilitating illegal activities through his messenger platform, though both Telegram and its founder deny these allegations.
The Tamil Nadu state court has temporarily ordered the blocking of any chatbots and websites that provide access to the leaked data online. As part of the case, Star Health has also filed a lawsuit against the American company Cloudflare, claiming its services were used to host the leaked data on various websites.
According to the court, Star Health’s confidential customer data and business information were compromised and distributed via Telegram. The court has sent notifications to both Telegram and Cloudflare, with the next hearing scheduled for October 25.
Star Health stated that two chatbots on the Telegram platform were distributing client data. One provided access to insurance documents in PDF format, while the other allowed requests for up to 20 samples from a database containing information on 31.2 million clients, including names, phone numbers, and medical results.
As discovered by British security researcher Jason Parker, the Star Health chatbots contained a welcome message indicating that they were created by a user with the pseudonym xenZen and had been active since August 6. Parker, posing as a buyer on a hacker forum, received confirmation from xenZen that the hacker possessed 7.24 TB of data related to more than 31 million Star Health clients. Portions of this data were reportedly available for free via the Telegram chatbots.
Reuters had previously managed to download over 1,500 files containing clients’ personal data, dated July 2024. Despite the removal of the chatbots, new ones later emerged.
Star Health has also filed a lawsuit against the hacker xenZen, who is reported to have distributed the data. The hacker informed Reuters that he is willing to participate in the hearings online if given the opportunity.
