Star Health Data Breach 2024 — 31M Customer Records Exposed via Telegram Bots: Full Technical Analysis & DPDP Implications

The Star Health breach was not a sophisticated zero-day. It was not an APT campaign. It was not an exotic supply-chain compromise. It was a working business model — one threat actor, two Telegram bots, $150,000 demanded, and the medical records of one in every 45 Indians available for free queries to anyone with a chat client. This post reconstructs what we know about how the data left the perimeter, what was actually exposed, what Star Health did right and wrong in their response, and — most importantly — what every Indian organisation handling sensitive PII must change about its threat model in the wake of this incident.

What happened — the bot economy of stolen data

On 19 August 2024, a threat actor using the handle “xenZen” registered two Telegram bots: @StarHealth_LeaksBot and @StarHealthLeaks_Bot. The bots had a single function: type any Indian mobile number, receive that customer’s complete Star Health record. Tests by Reuters reporters confirmed the bots returned valid data in seconds — full name, PAN, address, date of birth, complete claim history with line-item medical procedures, prescription histories, hospital admission notes, and copies of submitted documents including Aadhaar (with masked digits per UIDAI guidance, but with enough other context to re-identify). The bots also published 1,000-record sample dumps on the message channel for free, with the full 7.24 TB dataset offered for sale at $150,000. Researcher Jason Parker (CloudSEK) catalogued the bot operations and disclosed responsibly to Star Health. By 26 September 2024, Reuters and the Hindu had published the story, Telegram had removed the bots, and Star Health had filed an interim injunction in the Madras High Court — but the data had already mirrored to dark-web forums BreachForums (revived) and several Russian-language Telegram channels. The bots being banned closed one storefront; the data itself was permanent.

The scale — 31 million Indians, 7.24 TB, granular medical detail

The dataset that researchers analysed contained records on approximately 31 million people — significantly more than Star Health’s claimed 17 million policyholders, suggesting the data included family members listed on policies, claim co-applicants, dependants, hospital staff metadata, and possibly partner-network records. Per-record fields: Customer ID, Policy Number, Full Name, PAN, Date of Birth, Phone, Email, Address, Pin Code, Claim Number, Claim Date, Hospital Name, Treating Doctor, Diagnosis ICD-10 Code, Treatment Procedure, Bill Amount, Claim Status, attached scanned documents (claim forms, ID proofs, hospital bills, discharge summaries), and policy documents themselves. Why this matters more than a typical PII breach: health data carries higher risk weight under DPDP Act 2023 (Section 8 governs sensitive personal data; medical info is explicitly named). Combined with PAN + phone + address, a single record enables identity theft, insurance fraud, targeted phishing using known health conditions (“Mr. Kumar, our records show your diabetes follow-up is overdue — pay ₹500 to confirm appointment”), discrimination by employers or future insurers, and emotional manipulation against patients with stigmatised diagnoses. Researchers found records relating to HIV treatment, cancer diagnoses, mental health conditions, abortion services — the kind of data whose disclosure can destroy lives, careers, and marriages.

How they got in — competing claims and the insider question

Three theories about the initial access vector circulated in the weeks after disclosure. (1) Insider theft. The threat actor xenZen alleged in chats with researcher Jason Parker that Star Health’s CISO had directly sold access for an unspecified sum and continued to provide updated data dumps on demand. xenZen produced screenshots of alleged WhatsApp conversations, payment receipts, and access logs. Star Health publicly denied the insider claim and stated the CISO was “uninvolved.” However, the precision and freshness of the data — records dated up to August 2024 — strongly suggested either insider access or persistent compromise. (2) API enumeration. Some independent researchers theorised that an unauthenticated or weakly-authenticated internal API endpoint allowed sequential enumeration of policy IDs. This is consistent with the bot pattern: attacker has bulk static dump, queries by phone or policy number against a lookup index. (3) Exposed S3-like storage. A misconfigured object-storage bucket containing claim PDFs and exports could have been scraped wholesale. The 7.24 TB volume aligns with thousands of scanned PDFs at 1-5 MB each plus structured exports. What we know for certain: Star Health’s public statements have not addressed the technical root cause. The Madras High Court interim order required Telegram and X (Twitter) to remove infringing accounts but did not require Star Health to disclose the access path. As of mid-2025, the lawsuit between Star Health and the alleged insider remains pending.

Timeline — eight weeks from quiet harvest to global headlines

Pre-August 2024: Data exfiltration occurs (timeline unknown — could span months). ~19 August 2024: First Telegram bot goes live. Late August – early September: Bot operates in relative obscurity; threat-intel researchers note its existence but disclosure is staggered. 20 September 2024: CloudSEK’s Jason Parker publishes initial findings; Reuters investigates. 26 September 2024: Reuters story breaks publicly. Star Health stock drops 6% intraday. CISO publicly identified by name in Reuters report. 27-30 September 2024: Star Health files Madras High Court suit against Telegram, X, the alleged insider, and “John Doe” defendants. Court grants interim injunction requiring takedowns. Early October 2024: Telegram bots removed. Data mirrors appear on BreachForums. Indian regulators (CERT-In, IRDAI, MeitY) issue advisories. October 2024 – January 2025: Multiple class-action style petitions filed by affected customers. Insurance regulator IRDAI initiates enquiry. 2025: Lawsuit grinds through court system. No public regulatory penalty announced as of mid-2025; DPDP rules notification still pending the necessary government framework. Star Health implements new technical controls (claimed) but has not published an incident report.

Technical analysis — why Telegram bots are the new BreachForums

Telegram bots have become a preferred breach-monetisation channel because they offer attackers operational advantages over traditional dark-web markets. (1) Lower friction: a bot takes seconds to deploy, requires no escrow infrastructure, and accepts queries from any Telegram user without account creation on a sketchy forum. (2) Plausible deniability for the platform: Telegram’s policy is reactive — bots remain online until reported and reviewed. (3) Built-in monetisation: bots can charge per-query in cryptocurrency via integrated payment hooks; Star Health’s bots offered free 1,000-record samples and paid full-database access. (4) Audience reach: Telegram has 950 million monthly users globally (June 2024 figures); discoverability through cross-channel promotion in OSINT and “leak” channels reaches researchers, criminals, and curious civilians simultaneously. (5) Resilience: when one bot is removed, the data is already mirrored. Defenders win individual battles, lose the war. For SOC teams, the Telegram-bot-as-leak-store pattern means traditional dark-web monitoring (which focuses on Tor forums and paste sites) misses an entire vector. Add Telegram channel monitoring, bot-name pattern matching, and cross-channel mirror tracking to your threat-intel stack. CloudSEK, Recorded Future, Hudson Rock, and IntSights all offer Telegram surveillance feeds; price ranges $1,000-$10,000 per month depending on coverage depth.

Indicators of compromise — what to look for in your own logs

For organisations potentially adjacent to or downstream of the Star Health incident, here are the tactical indicators worth scanning for. Bot identifiers: Telegram bot usernames @StarHealth_LeaksBot, @StarHealthLeaks_Bot (now removed but historical references in your DLP / proxy logs may indicate employee curiosity or reconnaissance). Threat actor handle: xenZen across BreachForums, Telegram, dark web — track for re-emergence under aliases. Data-broker activity: if your domain or customer base has any overlap with Star Health’s policyholders (insurance partners, hospital networks, TPAs, employee benefit programs), watch for credential-stuffing waves using leaked credentials, and for targeted spear-phishing referencing health information your customer would not expect any third party to know. API rate-limit anomalies: review your own API access logs for any patterns matching the suspected enumeration vector — long-running scrapes, authenticated sessions making sequential ID lookups, single-tenant credentials being used outside business hours. S3 / Azure Blob audit: run a CSPM scan (Wiz, Lacework, Prisma Cloud, or open-source CloudSploit) against your storage configuration; the bar for “what counts as private” needs to be that any bucket containing PII has access logs enabled, public access blocked, and bucket-policy denying anonymous access by explicit deny.

Detection — what your SOC should be hunting for right now

Concrete SOC-team detection queries to run. (1) Database query anomalies: alert on any SELECT statement returning more than N rows from a customer or claims table, where N is your normal page size × 10. Insider extraction usually involves either many small queries below thresholds or a few enormous ones above; both deserve scrutiny. (2) Bulk export jobs: instrument your reporting and analytics tools (Power BI, Tableau, Sisense, internal dashboards) to log every “export to CSV” or “download report” event. Build a baseline of normal export volume per user; alert on outliers. (3) Privileged user behavioural baseline: for users with broad data access (CISO, DBAs, engineering leadership), deploy User and Entity Behaviour Analytics (UEBA) — baseline their normal access patterns and alert on deviations (off-hours bulk access, access to data outside their normal scope, sustained high-volume queries). (4) Egress monitoring: outbound TLS connections to large-file-hosting services (anonfile, mega.nz, file.io, transfer.sh) from internal hosts is a high-fidelity signal of data being staged for exfiltration. Block by default; alert on attempts. (5) Honey records: seed your customer database with synthetic records (fake customers with monitored phone numbers, emails, PAN-format-but-invalid IDs). Any access to these records is unambiguous evidence of insider browsing or external scraping.

Mitigations — concrete actions for any organisation handling PII

A 12-item action list for organisations that store regulated personal data and want to avoid being the next Star Health. (1) Encrypt sensitive data at rest with column-level keys; access without decryption permission yields ciphertext, not plaintext. (2) Implement field-level access controls so even authorised users see masked data unless their specific role requires it (e.g., underwriters see full diagnosis; customer-service agents see only “claim status: approved/pending”). (3) Disable bulk export by default; require approval workflow for any query returning more than 1,000 records. (4) Tokenise PAN/Aadhaar at ingestion; store tokens in primary tables, plaintext in a separate vault accessed only by services that genuinely need it. (5) Deploy a Database Activity Monitor (Imperva, IBM Guardium, open-source like Datasunrise or Maxscale Audit) — full SQL-level visibility, not just connection logs. (6) Privileged Access Management (CyberArk, BeyondTrust, open-source Teleport) for all DBA/sysadmin sessions, with full session recording. (7) Mandatory MFA for every user (no exceptions for executives) using phishing-resistant factors (FIDO2/WebAuthn, not SMS or TOTP for high-risk accounts). (8) Quarterly access reviews — what users have what permissions, do they still need them, and if they left, are their tokens revoked everywhere? (9) Insider-threat program: HR + Legal + Security cross-functional ownership, anonymous reporting channel, exit-interview protocol that includes data-access offboarding. (10) External attack surface management — know what of your infrastructure is publicly addressable; many incidents start with forgotten subdomains. (11) Incident response runbook tested quarterly via tabletop exercise. (12) Cyber insurance reviewed annually with a focus on what’s covered (data breach response costs, regulatory fines under DPDP, third-party class action defence).

India context — DPDP Act 2023 implications and the regulatory aftermath

The Star Health breach landed in a strange limbo. The Digital Personal Data Protection Act 2023 was passed by Parliament in August 2023 but its operational rules — including the precise composition of the Data Protection Board (DPB), penalty calculation methodology, and breach notification timelines — were not formally notified until 2024-2025 and remain in implementation. As a result, Star Health faced no clear DPDP penalty for the breach itself, falling instead under the older IT Act 2000 Section 43A “reasonable security practices” framework which limits compensation to actual damages proven by individual plaintiffs. Under DPDP Act, the calculus would be radically different: Section 33 caps penalties at ₹250 crore per violation, with the personal-data-breach category attracting penalties up to that ceiling. The DPB has discretion based on factors including the duration of the breach, the number of data principals affected, and the steps the Data Fiduciary took to mitigate the breach. A breach affecting 31 million people across multiple categories of sensitive personal data (health, financial, identity) would credibly attract the maximum penalty. For organisations processing personal data in India in 2025-2026: assume DPDP enforcement is inbound. Build your breach-notification workflow now (CERT-In already requires reporting within 6 hours of “significant” cyber incidents per the April 2022 Directions). Document every consent flow. Maintain a Record of Processing Activities (RoPA). Designate a Data Protection Officer. Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing. The first major DPDP penalty will be precedent-setting and you do not want your company to be the precedent.

Lessons learned — what every CISO and CIO should take from this

Five lessons that translate directly into actions you can execute this quarter. (1) Insider threat is the dominant unsolved risk. External attackers can be defended against with layered controls. Insiders bypass most of them by definition. The Star Health allegations against the CISO may or may not be true, but the structural problem — that one trusted person in your organisation can compromise everything — is real and needs purpose-built mitigation: separation of duties, full session recording, behavioural analytics, and a culture where reporting suspected insider activity is rewarded not retaliated against. (2) Data minimisation is the only durable defence. Star Health stored 7.24 TB of granular customer data because they collected it under “we might need it for analytics.” Every byte you don’t store is a byte that cannot leak. Quarterly data-retention reviews; aggressive purge of records past their business utility; replace original PII with hashes wherever possible. (3) Telegram is the modern leak channel. Your dark-web monitoring is incomplete if it doesn’t cover Telegram bots and channels. Either pay for it or build it. (4) Crisis comms determines reputation impact. Star Health’s response was legally aggressive (lawsuits, takedowns) but communicatively opaque (no public root-cause analysis, no proactive customer notification, no apology). Customers learned of their exposure from journalists, not from the company. The blast radius was preventable; the trust damage was self-inflicted by silence. (5) Regulators are watching. Even before formal DPDP enforcement, IRDAI initiated parallel inquiries; CERT-In issued advisories; the Madras High Court created precedent. The cost of a breach in India in 2025 is no longer just direct losses — it is regulatory scrutiny, court-ordered disclosure, and the slow, expensive grind of class-action plaintiffs. Plan for all three.

What to do this week — concrete checklist for security leaders

A practical seven-day action plan for CISOs of organisations handling Indian customer PII. Day 1 (Monday): Run a discovery query against your customer database — how many records do we have, what fields, what PII categories, where are they stored, who has access? Document gaps. Day 2: Audit privileged accounts. Pull a list of every user with read access to customer records. Cross-reference against current employees + active contractors. Revoke immediately for anyone who left. Day 3: Review API and export logs for the past 90 days. Anomalous bulk queries? Off-hours admin access? Single user pulling unusual record volumes? Investigate each. Day 4: Set up Telegram and dark-web monitoring for your brand name + product names. Free tools: GitGuardian, Have I Been Pwned, OSINT Combine’s free tier. Commercial: CloudSEK, Hudson Rock, Recorded Future. Day 5: Brief your executive team. Star Health’s incident is a prebuilt slide deck for “this could be us.” Use it. Get budget approval for anything material that you’ve been deferring (DAM, UEBA, PAM tooling). Day 6: Update your incident response runbook. Add a “discovered in public Telegram bot” scenario. Rehearse the first 6 hours: who calls CERT-In, who briefs legal, who decides on customer notification, who handles press. Day 7: Audit your data retention. What can you delete? Most organisations store PII for years past its business value — every record you delete now is one that cannot leak in 2027.

Wider implications — how this incident reshapes Indian cyber policy

The Star Health breach is already shaping the implementation of DPDP Act rules in 2025-2026. Three specific policy levers are being adjusted in part because of this incident. (1) Breach-notification timelines. The pre-existing CERT-In Directions (April 2022) require notification within 6 hours of “significant cyber incidents.” Industry pushback to extend this to 72 hours (matching GDPR) has weakened — Star Health’s response showed that even 6 hours is generous when the data is already public. (2) Sensitive Personal Data classification. The DPDP Act’s definition of sensitive personal data is being clarified through subordinate rules; expect explicit inclusion of insurance claim data, hospital records, and biometric data with stricter consent and processing requirements. (3) Cross-border data flow. One unspoken aspect of the breach is that the data, once on Telegram, immediately replicated outside India’s jurisdiction. The DPDP Act’s data-localisation provisions for sensitive categories may be enforced more strictly in the wake of incidents like this — expect specific country-blacklists for transfers. (4) Sectoral overlay. IRDAI is independently considering insurance-specific cybersecurity standards modelled partly on the US NAIC Insurance Data Security Model Law. Health insurers may face the strictest requirements. Star Health will not be the last Indian breach to make headlines, but it has set the template for what regulators, courts, and customers expect from incident response — and the bar is higher than what most organisations are prepared to clear.

FAQ

Was my data in the Star Health leak?

If you held a Star Health policy any time before September 2024, assume yes. The leaked dataset reportedly covered 31 million records spanning years of policy issuances and claims. There is no official “check if you were affected” tool published by Star Health. Researchers running mirrors of the dataset for academic purposes have generally declined to provide individual lookup services to avoid normalising re-victimisation. Best assumption: treat your phone, PAN, and address as compromised; enable transaction alerts on bank accounts; be highly suspicious of any unsolicited call or SMS referencing your insurance, hospital visits, or medical conditions.

Can Star Health be sued under DPDP Act?

Technically yes once the DPDP Act enforcement framework is fully operationalised; in practice, the breach predates clear penalty rules. Civil liability under IT Act §43A is available now, but requires individual plaintiffs to prove specific damages — expensive and slow. Class-action suits in the consumer commission framework are the more practical avenue and several have been filed.

How does this compare to Western breaches like Equifax or Anthem?

Scale: Equifax was 147M Americans (~45% of US population); Star Health is 31M Indians (~2% of population) but a much higher percentage of insured Indians. Sensitivity: Anthem and Star Health are comparable — both involve health data, identity, and address. Regulatory response: Equifax paid $700M in settlements and consent decrees; Anthem $115M; Star Health currently faces no comparable settlement pressure due to weaker regulatory enforcement infrastructure (this is changing under DPDP).

What should other Indian insurers do differently?

Three priorities: (1) audit insider-access controls and implement session recording for any privileged account; (2) deploy database activity monitoring with anomaly detection on bulk-data access patterns; (3) build a public-facing breach-response page template now so that if you have an incident, the first thing customers see is information from you, not from Reuters.

Is the leaked data still available somewhere?

Yes. Once data is published to multiple Telegram channels and dark-web forums, it is permanent. Takedowns remove individual storefronts but cannot recall copies already downloaded. The dataset will continue to circulate among credential-stuffing operators, identity-theft rings, and academic researchers indefinitely. Plan your defences accordingly — assume the data is and will remain public.

Were Star Health customers notified directly?

Customer notification was not aggressive. Most affected customers learned of their exposure through Reuters and Hindu reporting in late September 2024 rather than from Star Health proactively. Star Health did publish a statement on its website acknowledging the situation but did not, as of mid-2025, send individual breach-notification letters or emails to all affected policyholders. This is itself a regulatory issue under DPDP Act when fully enforced.

📰 Note: This analysis is compiled from public reporting (Reuters, Bloomberg, court filings, threat-intel firm publications) and is intended for security education. Some technical details remain disputed in ongoing legal proceedings; we have attributed claims where the source is established and noted where matters remain contested.