Leading Indian insurance provider Star Health has filed a lawsuit against Telegram and a self-proclaimed hacker following a Reuters report that revealed the hacker was utilizing chatbots on the messaging app to disseminate personal data and medical records of policyholders. This legal action comes at a time when Telegram is facing increased global scrutiny, including the recent arrest of its founder Pavel Durov in France, over allegations that the app's content moderation and features are being exploited for illegal activities. Durov and Telegram have refuted these claims and are actively addressing the criticisms.
Star Health has obtained a temporary injunction from a court in Tamil Nadu, its home state, instructing Telegram and the hacker to disable any chatbots or websites in India that publish the leaked data. A copy of the order reveals that Star has also named US-based software company Cloudflare Inc in the lawsuit, alleging that the leaked data on websites were hosted using its services.
The Madras High Court order, dated September 24, quoted Star as stating, "Confidential and personal data of...customers and of the plaintiff's business activities in general has been hacked and leaked by using the platform (of Telegram)." For the first time, Star made details of the lawsuit public through a newspaper advertisement in The Hindu on Thursday.
The court has issued notices to both Telegram and Cloudflare, with the next hearing scheduled for October 25. The newspaper ad by Star requested an injunction to prevent Telegram and Cloudflare from using the trade name "Star Health" or making any of its data available online.
Telegram's user-friendly chatbot creation feature has been instrumental in its rise to become one of the world's largest messenger apps, boasting 900 million active monthly users. However, Reuters recently reported that an individual known as xenZen had made stolen data, including medical reports of Star customers, publicly accessible on Telegram, just weeks after Telegram's founder was accused of allowing the app to facilitate crime.
Star had previously stated that its initial assessment indicated "no widespread compromise" and that "sensitive customer data remains secure." Two chatbots were distributing Star Health data; one provided claim documents in PDF format, while the other allowed users to request up to 20 samples from 31.2 million datasets, revealing details such as policy number, name, and body mass index.
In testing the bots, Reuters downloaded over 1,500 files, some dated as recently as July 2024, which included policy and claims documents featuring names, phone numbers, addresses, tax cards, copies of ID cards, test results, medical diagnoses, and blood reports. Reuters shared details of the chatbots with Telegram on September 16, and within 24 hours, spokesperson Remi Vaughn confirmed they had been "taken down." However, more chatbots appeared later.
Star has also sued the alleged hacker, xenZen, in the lawsuit. The hacker, in an email to Reuters on Thursday, stated they would join the hearings online if permitted. The Star Health chatbots are part of a broader trend of hackers using such methods to sell stolen data. According to a recent survey by NordVPN at the end of 2022, of the five million people whose data was sold via chatbots, India represented the largest number of victims at 12 percent.