Key Points
- Star Health sues Telegram, a hacker, and Cloudflare over a data breach involving leaked customer information.
- Sensitive customer data, including medical records and identification documents, was exposed via chatbots on Telegram.
- The case highlights a growing global concern over using Telegram’s chatbot features for illegal activities.
- Star Health also named the hacker xenZen in the lawsuit, who has expressed a willingness to attend the hearings online.
Star Health, one of India’s leading insurers, has filed a lawsuit against Telegram and a hacker after it was revealed that its policyholders’ personal data and medical reports were being leaked through chatbots on the messaging platform. This action follows a report by Reuters, which uncovered that the hacker was using automated tools on Telegram to expose sensitive customer data. The lawsuit also targets Cloudflare Inc., a U.S.-listed software company, for allegedly hosting websites that made the stolen data accessible.
The lawsuit comes amid increasing scrutiny of Telegram, especially following the arrest of its founder, Pavel Durov, in France last month. Telegram has faced criticism for its content moderation practices, with claims that the platform is being abused for illegal activities. Durov and Telegram have denied any wrongdoing and are working to address these concerns.
In response to the data breach, Star Health secured a temporary injunction from a court in Tamil Nadu, ordering Telegram and the hacker to block any chatbots or websites in India that are distributing the leaked data. According to court documents, the personal information exposed included policy numbers, names, phone numbers, medical diagnoses, and even copies of identification documents. The court has also issued notices to Telegram and Cloudflare, with a hearing scheduled for October 25.
The insurance company first made details of the lawsuit public through an advertisement in The Hindu newspaper, stating that it sought to prevent Telegram and Cloudflare from using its trade name “Star Health” and making any of its data available online. Despite the seriousness of the breach, neither Star Health, Telegram, nor Cloudflare have commented on the lawsuit yet.
This breach involved two chatbots. One allowed users to download claim documents in PDF format, while the other let users retrieve up to 20 samples from a dataset of 31.2 million records. The leaked information included sensitive data such as medical diagnoses, body mass index, and ID card copies.
While Telegram responded to the July 2024 alert by removing the chatbots within 24 hours, more chatbots surfaced shortly afterward. Star Health has also sued the hacker known as xenZen, who admitted involvement and expressed willingness to join the court hearings online if allowed.
This case is part of a broader trend in which hackers increasingly use chatbots to sell stolen data. A NordVPN survey showed that India accounted for 12% of the five million global victims whose data was sold through chatbots.