Stolen customer data including medical reports from India’s biggest health insurer, Star Health, is publicly accessible via chatbots on Telegram, just weeks after Telegram’s founder was accused of allowing the messenger app to facilitate crime.
The purported creator of the chatbots told a security researcher, who alerted Reuters to the issue, that private details of millions of people were for sale and that samples could be viewed by asking the chatbots to divulge.
Star Health and Allied Insurance, whose market capitalization exceeds $4 billion, in a statement to Reuters said it has reported alleged unauthorized data access to local authorities. It said an initial assessment showed “no widespread compromise” and that “sensitive customer data remains secure”.
Using the chatbots, Reuters was able to download policy and claims documents featuring names, phone numbers, addresses, tax details, copies of ID cards, test results and medical diagnoses.
The ability for users to create chatbots is widely credited with helping Dubai-based Telegram become one of the world’s biggest messenger apps with 900 million active monthly users.
However, the arrest of Russian-born founder Pavel Durov in France last month has increased scrutiny of Telegram’s content moderation and features open to abuse for criminal ends. Durov and Telegram denied wrongdoing and are addressing the criticism.
The use of Telegram chatbots to sell stolen data demonstrates the difficulty the app has in preventing nefarious agents taking advantage of its technology and highlights the challenges Indian companies face in keeping their data safe.
The Star Health chatbots feature a welcome message stating they are “by xenZen” and have been operational since at least Aug. 6, said UK-based security researcher Jason Parker.
Parker said he posed as a potential buyer on a online hacker forum where a user under the alias xenZen said they made the chatbots and possessed 7.24 terabytes of data related to over 31 million Star Health customers. The data is free via the chatbot on a random, piecemeal basis, but for sale in bulk form.
Reuters could neither independently verify xenZen’s claims nor ascertain how the chatbot creator obtained the data. In an email to Reuters, xenZen said they were in discussions with buyers without disclosing who or why they were interested.