Cyber Crime
Who Is Responsible for the Star Health Data Breach? Investigation Update and IRDAI’s Response
The recent data breach at Star Health Insurance, which compromised the personal data of approximately 31 million customers, is raising serious questions about accountability and regulatory oversight in India’s insurance sector. Here’s what we know so far regarding responsibility, investigation progress, and the actions taken by the Insurance Regulatory and Development Authority of India (IRDAI).
Who Is Responsible?
An initial allegation by the hacker, xenZen, suggested possible involvement from within the company. The hacker claimed that Star Health’s Chief Information Security Officer (CISO) had allegedly provided data for $28,000, but then raised the price to $150,000, sparking a failed deal. Star Health, however, has refuted these claims, asserting that there was no internal involvement. Responsibility remains a complex issue, as the company must adhere to both the Information Technology Act, 2000, and the newly enacted Digital Personal Data Protection Act, 2023, both of which hold companies accountable for securing sensitive personal data and implementing preventive measures.
Progress in the Investigation
Star Health launched a forensic investigation with independent cybersecurity experts to trace the breach and prevent further data leakage. Additionally, the company took legal steps by approaching the Madras High Court, which directed platforms like Telegram to disable access to the leaked data. Telegram complied by removing the bots that were actively sharing customers’ sensitive information. However, no official report on the findings of the internal investigation has yet been released, leaving the situation ongoing as regulators continue their scrutiny.
Regulator IRDAI’s Response
The IRDAI, India’s insurance regulator, is tasked with ensuring that insurance companies maintain cybersecurity and data privacy standards. Following the breach, IRDAI has been closely monitoring Star Health’s compliance with its Cybersecurity and Cyber Resilience Framework, a 2017 guideline requiring insurers to have strong data protection protocols, risk assessment, and incident management plans. IRDAI has not issued specific penalties or additional guidelines to Star Health publicly but is expected to demand transparency and improvements in the company’s data security measures. The breach may also prompt IRDAI to review and potentially strengthen its cybersecurity requirements across the industry.
What’s Next?
The incident at Star Health has highlighted significant vulnerabilities within data management practices and regulatory oversight in the Indian insurance industry. As the investigation progresses, both the company and regulators may need to address and reinforce data protection practices, ensuring adherence to IRDAI guidelines and recent privacy laws. The situation remains under scrutiny, with further updates anticipated as IRDAI evaluates the adequacy of Star Health’s response and implements any additional regulatory actions to prevent such incidents in the future.