India’s leading health insurance provider “Star Health” has in a recent news release, admitted to having been the victim of a cyberattack. The attacker “xenZen” has subsequently posted the details along with the data on the Dark Web for a price. The data now sells for $150k and chunks of 100k entries can be obtained for $10k. The hacker has also claimed that they are in possession of over 30 million client records (approximately 7TB of customer data).
The hacker had earlier published the data using the Messaging app Telegram chatbot, before setting up a website and hosting the data on it. Till the end of Sep 2024, the website was allowing visitors to click on a start button to receive sample of the Star Health policy data, including claim documents and medical records of the records.
The Data as claimed, that is available, contains customers personal information- including names, addresses, and health records (in certain cases body mass index, and cause of claims, etc, are available). The sample data also indicate availability of Aadhaar Details.
Star Health has also approached the Madras High Court, which ordered all relevant parties to disable any access to the information. Star Health in the filed suit has implicated Telegram, Cloudflare and xenZen (which is listed as having an unknown address) among others, for their roles in enabling the leak. Court documents dated 24 Sep 2024 shows Star Health seeking a permanent injunction to prevent the defendants from publishing or sharing the stolen data and using its trade names, logo, and website domain. The court granted the interim injunction on the same day.
The Twist in the Complete Incident
It is noteworthy here, that the hacker had made a controversial revelation that the Companies (Star Health Insurance), CISO, had assisted in obtaining the data from the relevant servers and that ‘xenZen’ had obtained the records directly from the Star Health’s CISO. The hacker had also provided certain screen shots of their electronic conversation with the CISO, with certain artifacts showing the shared ‘Login Credentials’ and ‘Access Information’.
xenZen had also earlier posted, as quoted: “Star Health management CISO sold all this data to me and then attempted to change deal terms saying senior management of company needs more money for backdoor access,”.
In response ‘Star Health Insurance’ in a press release said “A thorough and rigorous forensic investigation, led by independent cyber security experts, is underway, and we are working closely with government and regulatory authorities at every stage of this investigation, including, duly reporting the incident to the insurance and cyber security regulatory authorities apart from filing a criminal complaint,” with regard to the allegation and implication of the Company’s CISO, Star Health further added “The CISO was cooperating with the investigation and had not been found guilty of any wrongdoing. We request that his privacy be respected as we know that the threat actor is trying to create panic.”
The Disinformation and Attack on Individual Reputation and Safe Guarding of Trust
The claim that the CISO of the company had colluded with the hacker to facilitate the theft is a new ‘pattern’ that has been resorted to by the hacker. It is but relevant that the breach had taken place and that the data of customers have been compromised; the claim that the CISO had assisted in the facilitation of the hacker, is completely rebuttable. It also drives us to the fact that ‘xenZen’ has been using morphed and manipulated document/evidences to gaslight the appointment holder within the victim organization. It is but true that the ‘Cyber Security’ responsibility of the organization and safeguarding of customer data, is the responsibility of the CISO and IT/Security team of the respective organization. The responsibility of other stakeholders who are to ensure protection of data and ensuring Cyber Security of the enterprise, can be many in the chain, and cannot be vested only with one designation, i.e. CISO.
Augmented Practices to be Adopted by CISO to Evade Reputational Exploitation within an Organization by the Perpetrator
The Hackers Wargame: The act of hacking is based on technology, and is a task that is routinely performed through technology and codes; yet the social engineering aspect, which may be used to gain attraction or to further create sensitization of the act, is also the intent of the game. The same is not done arbitrarily by the threat actor, but after due deliberation and also war-gamed, to gain more traction from the executed hack.
Use of Deep Fake/AI in Evidence Creation: Evidence manipulation, Disinformation campaigns, Rogue element cultivation, and many such acts, also can be resorted to by the perpetrator. This then leads to mistrust and falsification post the act, and can be a design factor of the hacker.
Psycho-Social aspects: Rivalry or professional vengeance among peer group or even within the hierarchy on any organization is a known fact and this aspect is inevitable. The role of insider to implicate an appointment holder, or to defame a specific designation cannot be ruled out in any organization. In this specific case, the CISO who was defamed through disinformation, and that too being announced publicly; should be conscious of the aspect and should continually post the leadership above, of all such aspect, even if the reporting appears trivial.
Keep the Chain Linked: Any appointment holder within an organization will be part of a ‘reporting channel’. All appointments in a Chain, are responsible both downward and upward as part of the holistic organization making. The appointments at all level should maintain a transparent form of reporting and alongside should also adhere to ‘timely reporting’. Complacency in reporting sets-in, when the information is sketchy and when one feels that more prodding of the incident is required before reporting to the hierarchy; yet it is but understood, that reporting even insignificant aspects, or partial information, many a times save ones skin. This is even be viewed critically, especially when the incident being reported, turns out to be with a larger implication, in due course.
Attitude of Handholding: The CISO and her/his Office, is the one stop shop for all Cyber Security Incidents. As much as the designation enjoys the good credits for a job well done; the same appointment is victimized by the similar blemish, that the appointment has to absorb. Organizations can also make the CISO (and her/his office), the scapegoat for any such act of displeasure. The leadership, within the victim organization, in the case of a cyber breach, should exercise ‘due diligence’ and ‘exercise care in judicious decision making’ post any such untoward incident. The leadership should aim at bring out the truth of the incident, before arriving at conclusions. Security is never complete. Even at the highest of level or the best of the protection, the gap in security accomplishment is but obvious. What one need to factor, post an incident and also before resorting to pin pointing responsibility; is the aspect of due diligence, and the learning that the incident provides, while providing the ‘Root Cause Analysis’, and the early bounce back.
Conclusion
There are many learnings from this news reporting and the incident that has occurred at Star Health Insurance: (a) The fact that a cyber security breach incident is not just a technical act, but the hacker can also exploit Psycho-Social components as well. (b) The cyber security incident management, also entails organizational culture and due-diligence. (c) That the CISO and her/his Office, need to indulge in aspects of management beyond technology, as well. (d) Organizations should also indulge in perception management, legal management, organization culture, behavioral sciences, techno-enabled-forensic by design, etc. (and many more aspects other than technology).