By Munsif Vengattil and Aditya Kalra
BENGALURU (Reuters) -Top Indian insurer Star Health has sued Telegram and a self-styled hacker after Reuters reported that the hacker was using chatbots on the messaging app to leak personal data and medical reports of policy holders.
The lawsuit comes amid growing scrutiny of Telegram globally and the arrest of its founder Pavel Durov in France last month, with the app’s content moderation and features allegedly abused for illegal activities. Durov and Telegram denied wrongdoing and are addressing the criticism.
Star has received a temporary injunction from a court in its home state of Tamil Nadu ordering Telegram and the hacker to block any chatbots or websites in India that make available the data online, according to a copy of the order.
Star has also sued U.S.-listed software firm Cloudflare (NYSE:NET) Inc in the lawsuit, saying the leaked data on websites were hosted using its services.
“Confidential and personal data of … customers and of the plaintiff’s business activities in general has been hacked and leaked by using the platform (of Telegram),” the Madras High Court order dated Sept. 24 quoted Star as saying.
Star, a listed entity with a market cap exceeding $4 billion, made details of the lawsuit public for the first time in a newspaper advertisement in The Hindu on Thursday.
The court has issued notices to Telegram as well as Cloudflare in the matter, and will next hear the case on Oct. 25.
The newspaper ad by Star stated the company had asked for injunction restraining Telegram and Cloudflare from using the trade name “Star Health” or making available any of its data online.
Star Health, Telegram and Cloudflare did not respond to a Reuters request for comment.
The ability for users to create chatbots is widely credited with helping Dubai-based Telegram become one of the world’s biggest messenger apps with 900 million active monthly users.
Reuters last week reported that an individual dubbed xenZen had made stolen data including medical reports of Star customers publicly accessible on Telegram, just weeks after Telegram’s founder was accused of allowing the app to facilitate crime.
Star had earlier said its initial assessment showed “no widespread compromise” was detected and that “sensitive customer data remains secure”.
Two chatbots distributed Star Health data. One offered claim documents in PDF format. The other allowed users to request up to 20 samples from 31.2 million datasets with a single click giving details including policy number, name and even body mass index.
In testing the bots, Reuters downloaded more than 1,500 files with some documents dated as recently as July 2024, which included policy and claims documents featuring names, phone numbers, addresses, tax cards, copies of ID cards, test results, medical diagnoses and blood reports.
Reuters shared details of the chatbots with Telegram on Sept. 16 and within 24 hours spokesperson Remi Vaughn said they had been “taken down”. More chatbots appeared later.
Star has also sued the purported hacker, xenZen, in the lawsuit. The hacker in an email to Reuters on Thursday said they will join the hearings online if permitted.
The Star Health chatbots are part of a broader trend of hackers using such methods to sell stolen data. Of five million people whose data was sold via chatbots, India represented the largest number of victims at 12%, showed the latest survey on the epidemic conducted by NordVPN at the end of 2022.