Fraud Management & Cybercrime , Geo Focus: Asia , Geo-Specific
Star Health Absolves CISO, But Customers Are Still at Risk
Data Privacy and Security of Millions of Star Health Customers Lost in Blame GameIndian health insurance giant Star Health and Allied Insurance Company has absolved its chief information security officer of any wrongdoing related to a recent data breach, but beyond the high-stakes blame game, there is no clear resolution in sight for the 31.2 million customers whose data was compromised and leaked on the dark web.
See Also: How to Unlock the Power of Zero Trust Network Access Through a Life Cycle Approach
The insurance company said in a stock exchange filing Monday that an independent forensic investigation conducted by an external cybersecurity firm found that the company's chief information security officer - Amarjeet Khanuja - did not have any role to play in the leakage of customers' personal and healthcare information.
The investigation found that a hacker, who claimed to have "purchased" the information of Star Health customers from Khanuja for about $43,000 in cryptocurrency, fabricated his conversations with Khanuja and posted them on the data leak site.
The insurance company announced in early October that it was investigating "a targeted, malicious cyberattack, resulting in unauthorized and illegal access to certain data" but had not find evidence of wrongdoing on part of the CISO (see: Hacker’s Claims About CISO Are Focus of Star Health Probe).
"We want to categorically mention that our CISO has been duly cooperating in the investigation, and we have not arrived at any finding of wrongdoing by him till date," a spokesperson said. "We request that his privacy be respected as we know that the threat actor is trying to create panic."
The company told the Bombay Stock Exchange Monday that after the third-party breach investigation concluded, its risk management and IT committees informed the board about the findings and recommended additional measures to enhance the company's information security posture. The chief risk officer also shared a vulnerability assessment, penetration testing results and a security assessment of vendors performed by the company.
While Star Health concluded its investigation, the company is involved in litigation at the Madras High Court in a legal battle between the company, which initially kept silent about the incident, and a threat actor calling himself xenZen who decided to sell the stolen customer information for as much as $150,000 through bots on Telegram.
xenZen previously told Information Security Media Group that he communicated with Khanuja for weeks on encrypted messaging service Tox, where the CISO offered to sell him the company's customer database for $28,000. The hacker claimed the two struck another deal for the sale of Star Health customers' insurance claims data for $15,000, but the CISO later reneged on the deal and demanded that xenZen pay another $150,000 because the company's senior management wanted in on the deal.
Though Khanuja did not make any public denial of the story by xenZen, Star Health waited until early October to inform the public that it was looking into the cybersecurity incident, even though it had previously informed India's Insurance regulator IRDAI about the incident.
The company's prolonged silence caused much confusion in the information security community and among Star Health customers, while the hacker interacted regularly with the news media and information security experts and presented screen recordings of his email exchanges with Khanuja. Star Health said those screen recordings were fake.
Some have criticized the secrecy around the incident. Mumbai-based cybercrime investigator and founder of V4WEB Cybersecurity Ritesh Bhatia told ISMG that Star Health's conduct in the aftermath of the incident conveyed the impression that the company intended to protect its reputation more than it wanted to safeguard the interests of millions of customers (see: Star Health Breach: Does Reputation Trump Patient Privacy?).
Star Health released details of the cybersecurity incident in October, when it also alleged that the hacker has demanded a $68,000 ransom in exchange for returning the stolen data, but a cybersecurity company engaged by Star Health in September announced on September 24 that the hacker had fabricated evidence of his interactions with Khanuja.
CloudSEK, the Singapore-headquartered company, said the hacker possibly altered the HTML code within the "inspect element" function of his email to make it look like some emails came from Khanuja's email address. The hacker may also have "used publicly available credentials and exploited an IDOR vulnerability in the API" to steal customer data instead of purchasing it from the CISO.
"The threat actor belongs to China and has had geopolitical motives to create chaos and spread disinformation among Indian masses," the firm added.
After CloudSEK published its findings, an X user using the name Jason Parker and claiming to be a UK-based IT security expert, questioned the company's findings and its objectivity, given that Star Health engaged it to investigate its CISO's involvement.
Parker said CloudSEK's conclusion that the hacker may have altered the inspect element to fudge an email address fell flat as the email address loaded live in a screen recording published by the hacker. The evidence also belied CloudSEK's assertion that the hacker did not refresh the page in the video as the moving elements clearly showed that it was a dynamic page and not an edited screenshot. CloudSEK chief executive officer Rahul Sasi later accused Parker of being none else but xenZen in the garb of a security researcher.
The drawn-out saga of a miffed hacker going to great lengths to frame a cybersecurity leader, the insurance giant belatedly announcing steps to improve its cybersecurity posture and a social media war between security researchers could have been avoided if Star Health disclosed the breach to the public in August and announced steps to secure its data from misuse.
Amid the intense battle to safeguard a CISO and his company's reputation, the data security and privacy rights of tens of millions of customers have fallen by the wayside.