Bangalore, India's top insurance company Star Health (STAU.NS), has sued Telegram and an individual claiming to be a hacker after Reuters reported that a chatbot on the messaging app leaked personal data and medical reports of policyholders.
This lawsuit comes as Telegram is increasingly under global scrutiny, with its founder Pavel Durov arrested last month in France, allegedly for the app's content moderation and features being misused for illegal activities. Durov and Telegram have denied any wrongdoing and are responding to the criticism.
Star has received a temporary injunction from the Tamil Nadu court, ordering Telegram and the hacker to block any chatbots or websites offering data online within India.
Star has also sued the US-listed software company Cloudflare Inc (NET.N), in a new tab in the lawsuit, claiming that the data on the leaked website was hosted using its services.
The Madras High Court's order issued on September 24 cited The Star newspaper saying: "The confidentiality and personal data of the customers and the plaintiff's general business activities have been hacked and leaked through the use of the (Telegram) platform."
Star Media is a publicly listed company valued at over $4 billion, which first publicly disclosed the details of the lawsuit in a newspaper advertisement in The Hindu.
The court has issued notices to Telegram and Cloudflare and will hear the case again on October 25.
Star advertised in the newspaper that the company has requested an injunction to prohibit Telegram and Cloudflare from using the "Star Health" trademark or offering any of its data online.
Star Health, Telegram, and Cloudflare have not yet responded to requests for comment.
The ability to create chatbots is widely considered to have helped Dubai-based Telegram become one of the world's largest messaging apps, with 900 million active users per month.
Reuters reported last week that an individual using the pseudonym xenZen publicly disclosed the stolen data (including Star customers' medical reports) on Telegram. A few weeks ago, the founder of Telegram was accused of allowing the app to facilitate criminal activities.
Star previously stated that its initial assessment showed "no evidence of a large-scale intrusion" and that "sensitive customer data remains secure."
Two chatbots distributed Star Health data. One provided PDF format claim documents. The other allowed users to request up to 20 samples from a dataset of 31.2 million with a single click, providing details including policy numbers, names, and even body mass index.
During testing of the bots, Reuters downloaded over 1,500 files, some of which dated as recent as July 2024, including policy and claim documents containing names, phone numbers, addresses, tax cards, ID copies, test results, medical diagnoses, and blood reports.
On September 16, Reuters shared details of the chatbots with Telegram, and within 24 hours, spokesperson Remi Vaughn stated that these bots had been "taken down." More chatbots appeared subsequently.
Star has also sued the alleged hacker xenZen. The hacker stated in an email to Reuters on Thursday that they would participate in the hearing online if allowed.
The Star Health chatbot is part of a broader trend of hackers using such methods to sell stolen data. A recent survey by NordVPN at the end of 2022 showed that among 5 million people selling data through chatbots, victims in India were the most numerous, accounting for 12%.
