SEKAR REPORTER

The Petitioner runs a proprietorship under the name and style CyberX9. They provide cyber security services and have a rich clientele. The Petitioner is also a customer of Star Health insurance Company. Star Health is one of the largest collectors of data of its customers and stores them online through its servers. While doing research on their cyber security, the Petitioner found that there were vulnerabilities in the cyber security of Star Health and the personal data of lot of customers were accessible through the same without the necessity of login and password. The information that was available were the policy details, bank account details, Aadhar card number and other personal information of the customers. The customers include high ranking government officials, politicians, members of the judiciary and other high net worth individuals.

Sekar Reporter
FacebookTwitterEmailBloggerGmailLinkedInWhatsAppPinterestTumblrShare
  1. The Petitioner runs a proprietorship under the name and style CyberX9. They provide cyber security services and have a rich clientele. The Petitioner is also a customer of Star Health insurance Company. Star Health is one of the largest collectors of data of its customers and stores them online through its servers. While doing research on their cyber security, the Petitioner found that there were vulnerabilities in the cyber security of Star Health and the personal data of lot of customers were accessible through the same without the necessity of login and password. The information that was available were the policy details, bank account details, Aadhar card number and other personal information of the customers. The customers include high ranking government officials, politicians, members of the judiciary and other high net worth individuals.
  2. The Petitioner reported these vulnerabilities to Star Health through its detailed report on 19.12.2022. However, Star Health took no steps to cure the same. However, Star Health suddenly started to blame the Petitioner for the same when in fact it is to the contrary.
  3. Simultaneously, the Petitioner reported the same to CERT-In, a body of the Ministry of Electronics and Information Technology who is the primary body to report vulnerabilities in the cyber security. CERT-In without conducting a proper investigation summarily enquired with Star Health who had falsely stated the vulnerabilities were corrected by them.
  4. In fact, Star Health had made statutory disclosures to CERT-In, IRDAI and SEBI Respondent where they have given false and limited information, but have admitted that there was a vulnerability in their system.
  5. Meanwhile, when the Petitioner stated that the public ought to know about the vulnerability since Star Health is a listed Company in the share market with public as shareholders, Star Health filed a suit with false allegations stating that the Petitioner was attempting to extort them. The suit is false and the Petitioner is resisting the same.
  6. However, the fact that the personal information of so many customers including the Petitioner were vulnerable to third parties and foreign entities was a clear violation of the right to privacy of the Petitioner, right to life of the Petitioner and right to data protection. In fact, the Star Health itself has reported another incident on 14.03.2023 to SEBI regarding another vulnerability in its mobile application.
  7. The Petitioner therefore sent representations to the Ministry of Electronics and Information Technology, Home Affairs, IRDAI and SEBI on 07.03.2023 with detailed information regarding the vulnerabilities in the cyber security of Star Health which will most certainly lead to data leak. Several reminders have been sent as well. However, there has been no proper response from any of the Respondent nor has any action been initiated against Star Health. Therefore, Writ Petition was filed seeking Writ of Mandamus against 6 Government Respondents.
  8. While the Writ Petitions were pending, on 14.08.2024, Star Health again reported that there was a hack to SEBI, IRDAI and CERT IN. This is the third incident since December, 2022. This time the hacker has exposed policies and personal details of over 3 crore customers of star health making it one of the biggest hacking incidents in India. It is the case of the Petitioner that this vulnerability in the cyber security had been reported to Star Health by the Petitioner in December, 2022 but no action was taken by them leading to the hacking incident. Therefore, the Petitioner prays that actions ought to be taken against them.
  1. The Petitioner runs a proprietorship under the name and style CyberX9. They provide cyber security services and have a rich clientele. The Petitioner is also a customer of Star Health insurance Company. Star Health is one of the largest collectors of data of its customers and stores them online through its servers. While doing research on their cyber security, the Petitioner found that there were vulnerabilities in the cyber security of Star Health and the personal data of lot of customers were accessible through the same without the necessity of login and password. The information that was available were the policy details, bank account details, Aadhar card number and other personal information of the customers. The customers include high ranking government officials, politicians, members of the judiciary and other high net worth individuals.
  2. The Petitioner reported these vulnerabilities to Star Health through its detailed report on 19.12.2022. However, Star Health took no steps to cure the same. However, Star Health suddenly started to blame the Petitioner for the same when in fact it is to the contrary.
  3. Simultaneously, the Petitioner reported the same to CERT-In, a body of the Ministry of Electronics and Information Technology who is the primary body to report vulnerabilities in the cyber security. CERT-In without conducting a proper investigation summarily enquired with Star Health who had falsely stated the vulnerabilities were corrected by them.
  4. In fact, Star Health had made statutory disclosures to CERT-In, IRDAI and SEBI Respondent where they have given false and limited information, but have admitted that there was a vulnerability in their system.
  5. Meanwhile, when the Petitioner stated that the public ought to know about the vulnerability since Star Health is a listed Company in the share market with public as shareholders, Star Health filed a suit with false allegations stating that the Petitioner was attempting to extort them. The suit is false and the Petitioner is resisting the same.
  6. However, the fact that the personal information of so many customers including the Petitioner were vulnerable to third parties and foreign entities was a clear violation of the right to privacy of the Petitioner, right to life of the Petitioner and right to data protection. In fact, the Star Health itself has reported another incident on 14.03.2023 to SEBI regarding another vulnerability in its mobile application.
  7. The Petitioner therefore sent representations to the Ministry of Electronics and Information Technology, Home Affairs, IRDAI and SEBI on 07.03.2023 with detailed information regarding the vulnerabilities in the cyber security of Star Health which will most certainly lead to data leak. Several reminders have been sent as well. However, there has been no proper response from any of the Respondent nor has any action been initiated against Star Health. Therefore, Writ Petition was filed seeking Writ of Mandamus against 6 Government Respondents.
  8. While the Writ Petitions were pending, on 14.08.2024, Star Health again reported that there was a hack to SEBI, IRDAI and CERT IN. This is the third incident since December, 2022. This time the hacker has exposed policies and personal details of over 3 crore customers of star health making it one of the biggest hacking incidents in India. It is the case of the Petitioner that this vulnerability in the cyber security had been reported to Star Health by the Petitioner in December, 2022 but no action was taken by them leading to the hacking incident. Therefore, the Petitioner prays that actions ought to be taken against them.
  1. The Petitioner runs a proprietorship under the name and style CyberX9. They provide cyber security services and have a rich clientele. The Petitioner is also a customer of Star Health insurance Company. Star Health is one of the largest collectors of data of its customers and stores them online through its servers. While doing research on their cyber security, the Petitioner found that there were vulnerabilities in the cyber security of Star Health and the personal data of lot of customers were accessible through the same without the necessity of login and password. The information that was available were the policy details, bank account details, Aadhar card number and other personal information of the customers. The customers include high ranking government officials, politicians, members of the judiciary and other high net worth individuals.
  2. The Petitioner reported these vulnerabilities to Star Health through its detailed report on 19.12.2022. However, Star Health took no steps to cure the same. However, Star Health suddenly started to blame the Petitioner for the same when in fact it is to the contrary.
  3. Simultaneously, the Petitioner reported the same to CERT-In, a body of the Ministry of Electronics and Information Technology who is the primary body to report vulnerabilities in the cyber security. CERT-In without conducting a proper investigation summarily enquired with Star Health who had falsely stated the vulnerabilities were corrected by them.
  4. In fact, Star Health had made statutory disclosures to CERT-In, IRDAI and SEBI Respondent where they have given false and limited information, but have admitted that there was a vulnerability in their system.
  5. Meanwhile, when the Petitioner stated that the public ought to know about the vulnerability since Star Health is a listed Company in the share market with public as shareholders, Star Health filed a suit with false allegations stating that the Petitioner was attempting to extort them. The suit is false and the Petitioner is resisting the same.
  6. However, the fact that the personal information of so many customers including the Petitioner were vulnerable to third parties and foreign entities was a clear violation of the right to privacy of the Petitioner, right to life of the Petitioner and right to data protection. In fact, the Star Health itself has reported another incident on 14.03.2023 to SEBI regarding another vulnerability in its mobile application.
  7. The Petitioner therefore sent representations to the Ministry of Electronics and Information Technology, Home Affairs, IRDAI and SEBI on 07.03.2023 with detailed information regarding the vulnerabilities in the cyber security of Star Health which will most certainly lead to data leak. Several reminders have been sent as well. However, there has been no proper response from any of the Respondent nor has any action been initiated against Star Health. Therefore, Writ Petition was filed seeking Writ of Mandamus against 6 Government Respondents.
  8. While the Writ Petitions were pending, on 14.08.2024, Star Health again reported that there was a hack to SEBI, IRDAI and CERT IN. This is the third incident since December, 2022. This time the hacker has exposed policies and personal details of over 3 crore customers of star health making it one of the biggest hacking incidents in India. It is the case of the Petitioner that this vulnerability in the cyber security had been reported to Star Health by the Petitioner in December, 2022 but no action was taken by them leading to the hacking incident. Therefore, the Petitioner prays that actions ought to be taken against them.
FacebookTwitterEmailBloggerGmailLinkedInWhatsAppPinterestTumblrShare
Exit mobile version