On October 15, 2024, the Software Freedom Law Centre India (SFLCI), a legal services organization based in New Delhi, formally requested the Indian Computer Emergency Response Team (CERT-In) to investigate a significant cybersecurity incident. This incident concerns a severe data breach affecting Star Health and Allied Insurance, one of the largest health insurance providers in India. The breach has reportedly exposed some of the most sensitive personal information of over 31 million customers, including full names, phone numbers, addresses, tax details, identification documents, medical test results, and diagnoses.
The breach first came to light when a hacker allegedly made 7.24 terabytes of data available for purchase on a dark web marketplace for $150,000. Notably, the breach also included a ransom demand of $68,000 directed at Star Health. The SFLCI highlights the potential risks associated with the exposure of such critical medical information, emphasizing that it can lead to identity theft, fraud, and emotional distress for the affected customers.
In their communication to CERT-In, the SFLCI underscored the profound implications of medical data breaches, which not only jeopardize individual privacy but may also facilitate fraudulent activities by unscrupulous entities in the healthcare sector, such as deceptive insurance firms and laboratories. They asserted the necessity for stringent protection of medical information and articulated that confidentiality must correlate with an elevated standard of accountability.
The organization also invoked the broader context of recent significant data leaks in India, referring to previous breaches involving Aadhaar and CoWIN systems, which have heightened concerns about the adequacy of the nation’s cybersecurity measures. Specifically, the SFLCI urged CERT-In to expedite investigations into such breaches, citing an alarming lack of effective data protection mechanisms in place in India. Highlighting the essentiality of enacting rules under the Digital Personal Data Protection Act, 2023, they warned that without these regulations, India would be ill-equipped to manage the harms arising from data breaches effectively.
According to the MITRE ATT&CK framework, tactics potentially employed in this incident may include initial access, achieved through techniques such as phishing or exploiting vulnerabilities in public-facing applications. Additionally, persistence methods might have been utilized, enabling attackers to maintain access over time, complicating detection and remediation efforts. Given the sensitivity and scale of the data involved, privilege escalation techniques could also have played a role, allowing unauthorized users to gain higher-level access within the system.
In conclusion, the SFLCI’s appeal to CERT-In reflects a growing awareness within India’s cybersecurity landscape regarding the need for robust defense mechanisms against data breaches. As businesses and individuals increasingly fall prey to cyber threats, the urgency for developing and implementing comprehensive data protection laws becomes paramount.