A security researcher who notified Reuters of the issue was told by the chatbot’s alleged creator that private details of millions of people were for sale and that people could view a sample by asking the chatbot to reveal the information.
Star Health and Allied Insurance, which has a market value of more than $4 billion, said in a statement to Reuters that it had reported the suspected unauthorized data access to local authorities. The company said an initial assessment showed “no large-scale intrusion” and that “sensitive customer data remains secure.”
Through the chatbot, Reuters was able to download insurance policies and claims documents containing names, phone numbers, addresses, tax details, copies of ID cards, test results and medical diagnoses.
The ability for users to create chatbots is widely credited with helping Dubai-based Telegram become one of the world’s largest messaging apps, with 900 million monthly active users.
However, the arrest in France last month of its Russian-born founder, Pavel Durov, has heightened scrutiny of Telegram’s content moderation and the potential for its features to be abused for criminal purposes. Durov and Telegram have denied wrongdoing and are responding to criticism.
The use of Telegram chatbots to sell stolen data illustrates the difficulty the app faces in preventing nefarious actors from exploiting its technology, and highlights the challenges Indian companies face in keeping data secure.
Jason Parker, a British security researcher, said the Star Health chatbots’ welcome message indicated they were “developed by xenZen” and had been operational since at least August 6.
Parker said he posed as a potential buyer on an online hacker forum, where a user named xenZen said they had built a chatbot and had 7.24 terabytes of data related to more than 31 million Star Health customers. The chatbot would provide this data for free in random, sporadic portions, but could be sold in bulk.
Reuters could neither independently verify xenZen’s claims nor determine how the chatbot’s creators obtained the data. In an email to Reuters, xenZen said it was in discussions with buyers but did not disclose who the buyers were or why they were interested.
delete
While testing the bot, Reuters downloaded more than 1,500 files, some of which were dated as recently as July 2024.
“If this bot is shut down, be careful, another one will be launched in a few hours,” the welcome message reads.
The chatbot was later labeled a “scam” with a warning that a user had reported it as a suspicious bot. Reuters shared details of the chatbots with Telegram on September 16, and within 24 hours, spokesperson Remi Vaughn said the chatbots had been “taken down” and asked to be notified if more such bots appeared.
“Telegram explicitly prohibits the sharing of private information and removes it once discovered. Moderators use a combination of proactive monitoring, AI tools, and user reports to remove millions of pieces of harmful content every day.”
Since then, new chatbots have emerged to provide Star Health data.
Star Health said an unidentified person contacted the company on August 13, claiming to have access to some of its data. The company reported the matter to the cyber crime unit of Tamil Nadu, where it is based, and federal cybersecurity agency CERT-In.
“The unauthorized access and dissemination of customer data is illegal, and we are actively working with law enforcement to combat this criminal activity. Star Health would like to assure its customers and partners that their privacy is of paramount importance to us,” the company said in a statement.
Star Health, India’s largest standalone health insurance provider, said in an August 14 stock exchange filing that it is investigating an alleged breach of “partial claims data”.
Representatives from India’s CERT-In and Tamil Nadu’s cyber crime unit did not respond to emailed requests for comment.
have no idea
Telegram allows individuals or organizations to store and share large amounts of data behind anonymous accounts. It also allows them to create customizable chatbots that automatically provide content and functionality based on user requests.
Two chatbots distribute Star Health data. One provides claims documents in PDF format. The other allows users to request up to 20 samples from a dataset of 31.2 million with a single click, providing details including policy number, name and even body mass index.
The documents reviewed by Reuters include records of treatment for policyholder Sandeep TS’s 1-year-old daughter at a hospital in the southern state of Kerala. The records include a diagnosis, blood test results, medical history and a bill of nearly 15,000 rupees ($179).
“That sounds worrying. Do you know how this will affect me?” Sandeep confirmed the authenticity of the documents. He said Star Health had not informed him of any data breach.
The chatbot also leaked a claim from last year’s policyholder Pankaj Subhash Malhotra, which included ultrasound imaging test results, details of his illness, and copies of his federal tax account and national ID card. He also confirmed that the documents were authentic and said he was not aware of any security breach.
The Star Health chatbot is part of a wider trend of hackers using such methods to sell stolen data. NordVPN’s latest survey on the pandemic at the end of 2022 showed that India had the highest number of victims, 12%, out of the 5 million people whose data was sold through chatbots.
Adrianus Warmenhoven, cybersecurity expert at NordVPN, said: “It is natural that sensitive data can be obtained through Telegram because Telegram is an easy-to-use shop. Telegram has become an easier way for criminals to interact.”
Follow us On Social Media Google News and Twitter/X