India’s insurance sector endured a relentless wave of cyberattacks in FY25 - highest on record - jeopardising the sensitive data of millions of policyholders.
Prominent insurers such as Star Health and Allied Insurance, Niva Bupa Health Insurance, HDFC Life Insurance, Tata AIG General Insurance, and Life Insurance Corporation of India (LIC) have found themselves at the forefront of data breaches in FY25.
A cybersecurity expert, who chose to stay anonymous, attributed the surge in cyber breaches to "unpatched systems and insufficient encryption," calling its cybersecurity framework outdated and ill-equipped to handle modern threats.
The expert also attributed the increased attack surface to digital expansion, and widespread reliance on cloud providers and software vendors.
Despite the magnitude and severity of the data breaches, none of the hackers involved in these incidents have been apprehended to date.
In fact, alarmingly, the hacker behind the Star Health breach in August 2024 remains at large and, as recently as a few weeks ago, reportedly sent death threats to the company’s CEO and CFO, further escalating concerns.
In October 2024, Insurance Regulatory and Development Authority of India (IRDAI) directed all insurers to carry out comprehensive IT audits, strengthen data security protocols, enforce regular risk assessments, and invest in employee training.
Notably, IRDAI launched initiatives like Bima-ASBA (Application Supported by Blocked Amount) to improve security and transparency in digital premium payments.
However, cybersecurity experts argued that IRDAI’s response has been largely reactive, with no enforceable national standard for health data protection.
These breaches have far-reaching implications beyond monetary loss, including estimated at $900,000 per day due to system outages, the expert said.
The exposure of Aadhaar, PAN, and medical information puts citizens at risk of long-term identity theft, fraud, and privacy violations, with potential treatment delays due to compromised medical records, he added.
Star Health and Allied Insurance: Largest breach in Indian health insurance history
In August 2024, Star Health and Allied Insurance suffered a catastrophic data breach affecting 31 million customers. Exposed data included Aadhaar numbers, PAN cards, medical reports, phone numbers, and addresses, all of which were reportedly sold on Telegram through automated bots and dark web channels for a mere $43,000.
The breach, termed "goldmine for cybercriminals," by several cybersecurity experts poses significant risks of identity theft, phishing, and financial fraud. Moneycontrol had earlier reported that this breach may make the company susceptible to leadership crisis and a hefty penalty.
Niva Bupa Health Insurance: A growing digital target
In February 2025, Niva Bupa Health Insurance, which covers 19.8 million lives, faced a significant cyber incident, when a threat actor claimed to have gained unauthorised access to customer data, publicly sharing select fields from two records with mala fide intent.
While the full extent of the breach remains under investigation, the company swiftly engaged independent cybersecurity experts, informed relevant authorities, and began reinforcing its cybersecurity posture.
This breach came shortly after Niva Bupa’s Rs 2,200 crore IPO, which further digitised its operations and may have increased its attractiveness as a cyber target.
LIC (January 2025)
While there are no official reports on this particular breach, in January 2025, LIC faced widespread criticism on social media platforms for a security oversight where insurance forms lacked One-Time Password (OTP) protection. This lapse potentially exposed a vast number of policyholders to phishing attacks and identity theft.
HDFC Life Insurance (November 2024)
HDFC Life Insurance reported a data breach in November 2024. An unknown entity reportedly contacted the company, sharing certain customer data fields with alleged malicious intent.
In response, HDFC Life initiated an information security assessment and data log analysis to determine the breach's scope and implement remedial measures. Reports said, the company assured stakeholders that there was no material adverse impact from the incident.
Tata AIG General Insurance (Late 2024)
Tata AIG General Insurance experienced a data leak sometime in late 2024, according to reports.
While specific details about the breach remain undisclosed, reports said, the IRDAI has acknowledged the incident and directed the company to conduct a comprehensive IT systems audit.
December 2024 software vendor breach
A significant breach occurred in December 2024 involving an Indian software company that provides services to multiple insurers.
The incident, reports said, exposed approximately 1.59 million rows of sensitive insurance data, including customer information and administrative credentials. The attacker, known by the handle '@303', exploited weak access controls and unpatched software, underscoring the danger posed by third-party vendors, especially for companies like Go Digit, which partners with over 9,000 cashless hospitals.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
