By Rahul Sasi, CEO and Co-Founder, CloudSEK
They say truth is stranger than fiction – and nowhere is it truer than in the world of cybersecurity. Ask the folks at Star Health Insurance, who recently found themselves at the center of a digital storm that would make even the most seasoned thriller writers raise an eyebrow.
Two weeks ago, numerous news headlines claimed that Star Health Insurance’s Chief Information Security Officer (CISO) leaked sensitive customer data to a hacker. The accusation came from a threat actor known as “xenZen,” who shared a screenshot of the CISO supposedly sending credentials via email – what he called “proof” of insider collusion.
But CloudSEK’s investigation revealed a very different, far more complex story. It wasn’t just about a data breach; it was about a deliberate attempt to manipulate public opinion and discredit a key figure within the company.
Understanding What Really Happened
On September 20, 2024, our threat intelligence team, detected that the hacker “xenZen” had posted an offer to sell 7TB of customer data stolen from Star Health Insurance. This breach affected over 31 million customers, and their personal information—including names, addresses, and health records—is now at risk.
While the breach itself was confirmed as legitimate, the claim that the CISO had willingly leaked the data was not. Our analysis dug deeper into the hacker’s allegations and found that xenZen had fabricated evidence to frame the CISO, exploiting the media’s appetite for a scandal and turning the narrative into one of insider betrayal.
Dissecting the Hacker’s Allegations
Our investigation revealed the following:
1. The Alleged Insider Leak Was Fabricated
The email that xenZen used as “evidence” was forged. The hacker altered the HTML code of an email using the common “inspect element” function—an easy trick to manipulate how a webpage appears. This allowed him to make it seem as though the email came directly from the CISO’s official account.
2. Credentials Were Obtained Elsewhere
The credentials that xenZen claimed to have received from the CISO were, in fact, part of a separate credential breach that had been circulating on the dark web. This means that the CISO did not provide these credentials—xenZen simply found them online and used them to breach Star Health’s systems.
3. Exploiting a Technical Vulnerability
Once xenZen had these credentials, he exploited an Insecure Direct Object Reference (IDOR) vulnerability in Star Health’s API. IDOR is a type of security flaw that allows unauthorized users to access sensitive data simply by manipulating URLs or queries after logging in. This vulnerability gave xenZen access to the company’s massive customer database.
4. A History of Disinformation and Geopolitical Motives
XenZen has a track record of targeting Indian organizations and attempting to sow disinformation. In this case, his actions appear to go beyond financial motives. There’s evidence to suggest that his campaign was aimed at destabilizing trust within Indian institutions. Our analysis found that xenZen has shown vindictive behavior toward Indian citizens before, and his geopolitical motives seem to align with this attack.
Upon discovering the breach and the subsequent misinformation campaign, our research team took swift action. Not only did CloudSEK confirm the authenticity of the stolen data, but it also debunked the hacker’s claims that the CISO was involved. The investigation exposed the falsehoods being circulated and helped restore the CISO’s reputation.
We were also instrumental in taking down xenZen’s leak site, which had been set up to sell the stolen data. However, the hacker persisted, creating mirror sites to continue his operations. Our research team continues to monitor and counter these efforts to minimize further damage.
The Bigger Picture: Key Learnings for Corporates, CISOs, and the Cybersecurity Community
This incident highlights that cyberattacks are no longer limited to stealing data. They can also involve sophisticated attempts to manipulate public perception, destroy reputations, and sow discord. Here are some crucial takeaways for corporates, CISOs, and the broader security community:
1. The Power of Narrative in Cybersecurity
In the age of social media, perception is everything. Cyberattacks are often followed by a flood of speculation. XenZen exploited the media’s hunger for scandal. Corporates must recognize that managing a data breach is more than about stopping the leak—it’s also about managing the narrative. Crisis communication strategies should be an integral part of every cybersecurity playbook.
2. The Sophistication of Modern Cybercrime
XenZen’s attack demonstrates how cybercriminals are evolving. They are using psychological warfare to create chaos. In this case, xenZen not only exploited a vulnerability but also fabricated evidence to frame the CISO. The security community needs to stay vigilant and anticipate attacks that may target not just systems but also individuals and organizations through disinformation.
3. Protecting Your CISO and Security Teams
Making the CISO a scapegoat for security breaches without proper evidence is a growing concern. Organizations must understand the complexities of cybersecurity and avoid jumping to conclusions. Security teams should have the support they need, including legal protection and clear communication channels. Transparency is essential, but so is the careful handling of internal investigations before pointing fingers.
4. Prioritizing API Security
The breach occurred because of an API vulnerability, specifically an IDOR flaw. APIs are a common attack vector and are often overlooked in many companies’ security strategies. It’s essential for organizations to regularly audit their APIs, patch known vulnerabilities, and enforce strict access controls. Strengthening API security can prevent unauthorized access and minimize the risk of data exposure.
5. The Rise of Disinformation as a Cyber Threat
The use of disinformation in cyberattacks is on the rise. The ability to forge “evidence” and circulate it through media channels shows just how dangerous disinformation can be when paired with a cyberattack. Companies need to monitor both the technical and social landscapes to guard against these threats.
Moving Forward: A United Front Against Disinformation and Cyber Threats
As cyber threats become more sophisticated, involving not just hackers but also media manipulation, companies must adopt a more holistic approach to security.
The Star Health Insurance data breach highlights the critical need to defend against technical breaches and safeguard the integrity and trust that organizations cultivate with their customers and employees.
This includes not only strengthening technical defenses but also being proactive in managing narratives and countering disinformation.