Insurance Sector Under Siege - cyber breaches in 2024

The recent cyber breaches affecting Star Health, Allied Insurance, and Tata AIG highlight significant vulnerabilities within India's insurance sector, regulated by the Insurance Regulatory and Development Authority (IRDA) and the Securities and Exchange Board of India (SEBI). These incidents underscore the need for robust cybersecurity measures as outlined in the IRDA's Cyber Security Guidelines 2023, which mandate risk assessments and incident response plans to protect sensitive data.

Threat actors typically employ tactics such as phishing, ransomware, and exploiting software vulnerabilities. Their techniques often involve gaining unauthorized access to systems to steal or compromise data, leading to financial losses and reputational damage for the affected companies. The IRDA's framework aims to enhance resilience against such threats through comprehensive audits and compliance requirements.

The cybersecurity audits of Star Health, Allied Insurance, and Tata AIG reveal critical vulnerabilities and systemic issues following recent breaches.

Recent data breaches involving Star Health and Allied Insurance, Tata AIG General Insurance, and Allied Insurance have raised significant concerns regarding the security of customer data in the insurance sector. Below is a comparison of these incidents, detailing the threat actors involved, data breach figures, impacted customers, and ransom demands.

Star Health and Allied Insurance

• Threat Actor: The breach was allegedly perpetrated by a hacker identified as xenZen. The hacker claimed that a Star Health official sold them the data.

• Data Breached: Approximately 3.1 crore (31 million) customer records were compromised, including sensitive personal information such as phone numbers, addresses, and medical records.

• Impacted Customers: Over 31 million customers were potentially affected.

• Ransom Demanded: The hacker initially sought $28,000, later increasing the demand to $150,000 for continued access to the data.

Tata AIG General Insurance

• Threat Actor: Although specific details about the hacker were not disclosed, Tata AIG confirmed that they were aware of claims made by a threat actor regarding possession of their data.

• Data Breached: The exact amount of data breached has not been publicly quantified; however, it was reported that a "small portion" of Tata AIG's data was claimed to be held by the threat actor.

• Impacted Customers: The number of impacted customers has not been specified in available reports.

• Ransom Demanded: No specific ransom amount has been reported for Tata AIG at this time.

Allied Insurance

• Threat Actor: Information regarding the specific threat actor involved in any breach at Allied Insurance is currently unavailable.

• Data Breached: There are no detailed reports on the amount of data breached from Allied Insurance.

• Impacted Customers: The number of affected customers remains unspecified.

• Ransom Demanded: No ransom demands have been reported for Allied Insurance.

Key Findings:

Data Compromise: Star Health reported a breach affecting 31 million customers, with sensitive data like PAN numbers and medical records compromised. The hacker, known as xenZen, claimed to have accessed 7.24TB of data, which was offered for sale online.

Internal Allegations: Allegations surfaced against Star Health's Chief Information Security Officer (CISO), Amarjeet Khanuja, suggesting potential complicity in the breach. However, the company maintains that he is cooperating with investigations and no wrongdoing has been confirmed.

Regulatory Response: The IRDA has mandated comprehensive IT audits for affected companies to identify vulnerabilities and implement stronger security measures. Insurers are required to engage independent auditors to assess their cybersecurity frameworks.

Root Cause Analysis: All three companies are conducting root cause analyses and have isolated impacted systems while collaborating with external cybersecurity firms to enhance their defenses.

These findings underscore the urgent need for improved cybersecurity protocols across the insurance sector to safeguard sensitive customer data.

Hackers initially gained access to the IT systems of Star Health, Allied Insurance, and Tata AIG through a combination of credential theft and exploitation of vulnerabilities:

1. Credential Theft: The hacker known as xenZen obtained login credentials from a separate credential breach circulating on the dark web, rather than directly from company insiders.

   
   

2. Exploiting API Vulnerabilities: After acquiring these credentials, xenZen exploited an Insecure Direct Object Reference (IDOR) vulnerability in Star Health's API. This flaw allowed unauthorized access to sensitive data by manipulating URLs post-login.

   
   

3. Social Engineering In some instances, hackers may have used social engineering tactics to trick employees into revealing sensitive information or installing malware.

These methods highlight significant weaknesses in cybersecurity practices within the affected companies.

The hacker's demand for $150,000 following the breach of Star Health was significant for several reasons:

1. Escalation of Ransom: Initially, the hacker, xenZen, agreed to a payment of $28,000 for access to sensitive customer data. However, after gaining further access and claiming that senior management required a cut, the demand escalated to $150,000. This shift highlights the opportunistic nature of cybercriminals in leveraging situations for greater financial gain.

2. Threat of Data Leak: The demand was coupled with threats to leak sensitive personal information if the payment was not made. This tactic is common among cybercriminals, aiming to instill fear and urgency in organizations to compel them to pay quickly.

3.Public Relations Impact: The high-profile nature of the breach and the demand drew significant media attention, potentially damaging the reputation of Star Health and raising concerns about data security in the insurance sector.

Overall, the $150,000 demand underscores the serious financial and reputational risks posed by cyber threats in today's digital landscape.