Online Fraud: IRDAI suggests strict guidelines to prevent leaks similar to the Star Health case

To combat online fraud, the Insurance Regulatory and Development Authority of India (IRDAI) has brought in stricter regulations. This initiative follows a series of notable fraud incidents at insurers such as Star Health Insurance Company.

According to the 2024 Insurance Fraud Monitoring Framework, insurers are required to implement strict measures such as: E.g., board-approved anti-fraud policies, autonomous fraud monitoring units (FMUs), enhanced cybersecurity defenses, and routine fraud intelligence initiatives.

“Cyber ​​fraud can have far-reaching consequences, including identity theft, financial fraud, reputational damage, etc.,” IRDAI’s draft guidelines said.

“Personal information such as KYC details, financial data and medical records are highly sought after by cybercriminals who exploit vulnerabilities in security measures to gain unauthorized access to this sensitive data available with insurers or distribution channels,” it added.

Data leak at Star Health

The action taken by IRDAI was in response to a security breach involving the Chief Information Security Officer of Star Health Insurance. A person named “xenZen” claimed the executive sold company data and tried to extort more money in exchange for permanent access. The hacker has now put the data up for sale for $150,000, or in smaller increments of $10,000, potentially putting policyholder data at risk of widespread dissemination.

In September, Star Health took legal action against Telegram and an individual responsible for a security breach, according to a Reuters report. The investigation revealed the unauthorized disclosure of personal information and medical records of approximately 30 million Star Health policyholders via chatbots on the Telegram platform.

In response to a recent hacker attack on Star Health Insurance's customer database, the Madras High Court on Friday issued a direction to social media application Telegram to remove and block all identified posts or 'chatbots'. Additionally, the Supreme Court encouraged Star Health to provide Telegram with the necessary information to successfully delete the leaked data.

During the legal proceedings in the Madras High Court, Star Health filed a petition against Telegram and other platforms after its database was hacked. It turned out that hackers were using messaging platforms to leak sensitive information.
The legal representative of Star Health Insurance asked the court to issue an injunction against Telegram for publishing confidential data.

However, Telegram explained that it was unable to proactively search for leaks on its platform. The messaging platform agreed to remove the leaked information after receiving specific details from the insurer.

To this, Telegram's lawyer replied: “I (Telegram) do not have the power to patrol or monitor all bots and take them down.” I can only block or disable a channel when a specific violation is reported. If I continue to search all the posts looking for Star Health and remove it, I will be violating the IT Act.”