Customer data, including sensitive medical records from India's largest health insurer, Star Health, was discovered accessible through chatbots on Telegram. This revelation comes shortly after the app, founded by Pavel Durov, was scrutinized for allegedly enabling criminal activities.
Security expert Jason Parker notified Reuters about the chatbots, which provide access to policy documents containing private customer information such as names, addresses, phone numbers, tax details, ID copies, medical records, and test results.
A hacker using the alias "xenZen" claimed responsibility for creating the chatbots, revealing on a forum that they had obtained 7.24 terabytes of data from over 31 million Star Health customers. While some data is being shared freely through these chatbots, bulk purchases are also available.
With over 900 million active monthly users, Telegram's chatbot feature is highly popular but has faced criticism for content moderation issues and its potential misuse by malicious entities. After Reuters reported the breach, Telegram removed the chatbots offering Star Health data, though new ones have since surfaced, demonstrating the difficulty in controlling such misuse.
"Sharing personal data on Telegram is strictly prohibited and is removed when identified," said Telegram spokesperson Remi Vaughn. "We use a combination of proactive monitoring, AI, and user reports to remove millions of harmful content daily."
Star Health confirmed receiving a message from an individual claiming access to their data and has reported the incident to authorities. Their preliminary investigation showed "no widespread breach," assuring that "sensitive customer information remains secure."