On 19th February 2025, In a shocking revelation, CYBERSEC’s threat intelligence platform has uncovered a catastrophic data breach targeting Niva Bupa, one of India’s leading health insurance providers. The threat actor, operating under the alias “xenZen,” claims to possess the personal and medical data of 19.8 million customers and detailed insurance claims records of 11.9 million individuals, with datasets stretching through February 2025. This breach not only exposes sensitive information but also highlights xenZen’s ruthless campaign of blackmail, harassment, and psychological warfare against Niva Bupa’s leadership and employees. “xenZen” has continued to weaponize stolen Niva Bupa customer data despite the insurance giant securing a Delhi High Court John Doe order to block the rogue website “nivabupaleaks.com” (see Livemint coverage).
The Breach: What Was Stolen?
xenZen alleges possession of the following data, which CYBERSEC has independently verified as highly credible based on preliminary analysis:
1. Customer Data (Till Feb 2025):
- Full names, PAN numbers, mobile numbers, emails, dates of birth, residential addresses.
- Policy numbers, health card details, pre-existing diseases, nominee information (name, age, relationship).
- Insured individuals’ biometrics (height, weight, BMI), and other critical health metrics.
2. Insurance Claims Data (Till Feb 2025):
- Scanned copies of Aadhaar and PAN cards.
- Detailed medical reports, claim amounts, and contact details.
- Sensitive documents tied to claims processes.
The hacker has also developed a self-hosted “Data Search” portal (to launch publicly) allowing searches by name, phone, email, city, or policy number. Chatbots and deepfake-driven disinformation tools are reportedly in development to weaponize the data further.
The Breach Timeline: Legal Battles and Relentless Threats
- Initial Leak Hosting: xenZen first hosted a demo dataset on “https://nivabupaleaks.com”, taunting Niva Bupa with searchable customer records.
- Court Intervention: On March 3 2025, Niva Bupa secured a Delhi High Court order directing ISPs to block the domain. The court noted “imminent and irreversible harm” to customers.
- Hacker’s Response: Undeterred, xenZen shifted operations to new, harder-to-trace domains and doubled down on threats, releasing deepfake videos of executives’ families.
- Current Status: Despite takedown efforts, xenZen continues to mirror the data across decentralized platforms, vowing a “public launch” unless demands are met.
Blackmail, Deepfakes, and Psychological Warfare
xenZen’s tactics transcend conventional cybercrime. The actor has explicitly threatened to:
- Target Niva Bupa’s Leadership: Harass the families of the CEO and CTO via fabricated deepfake videos, hosted on domains like krishnan.lol and dhiresh.nivabupaleaks.su. These videos falsely portray family members in compromising scenarios.
- Intimidate Employees: Threaten staff with reputational harm and public shaming unless the company capitulates to demands.
- Publicly Leak Data: Follow the “Star Health incident” playbook, referencing a prior breach where delayed action led to irreversible reputational and financial damage.
Analysis: A Flawed Defense
While Niva Bupa’s legal action was a necessary step, highlights critical gaps:
- Reactive, Not Proactive: The company waited until after xenZen’s demo launch to act, losing precious time to mitigate harm.
- Inadequate Takedown Strategy: Focusing only on domains, not the hacker’s infrastructure (e.g., server, port: 9090).
- Silence Breeds Distrust: Affected customers remain uninformed, fueling panic and speculation.
Lesson from Star Health: Like the 2024 Star Health breach, delayed transparency eroded public trust irreparably. Niva Bupa risks the same fate.
CYBERSEC confirming that leaked datasets include highly sensitive personal information of Indian ministers, senior Home Ministry officials, and Road & Transport Ministry personnel. This revelation underscores unprecedented risks to governance, critical infrastructure, and public safety, as hostile actors could exploit this data for espionage, blackmail, or targeted attacks.
Breach Scope: From Citizens to Cabinet
Beyond 19.8 million customers and 11.9 million insurance claims, xenZen’s stolen data includes:
- VIPs & Government Officials:
- Home Ministry: Personal details, residential addresses, and family information of senior bureaucrats and security advisors.
- Road & Transport Ministry: Travel patterns, vehicle registration data, and contact details of officials overseeing critical infrastructure projects.
- Sitting Ministers: Health records, policy numbers, and nominee details of at least three Union Ministers, including one with a Cabinet portfolio.
- Deepfake-Ready Biometrics: High-resolution Aadhaar/PAN scans and medical reports, enabling hyper-realistic impersonation campaigns.
Disclaimer
CYBERSEC’s Intentions & Data Sources
Public Interest Mission: CYBERSEC’s reporting on the Niva Bupa breach is driven solely by the goal of raising public awareness, ensuring corporate accountability, and mitigating harm to individuals. We do not engage in hacking, data theft, or unlawful activities.Data Provenance: All information cited in our analysis is sourced from publicly accessible hacking forums, leak repositories, and xenZen’s own announcements. CYBERSEC has not accessed, downloaded, or verified the entirety of the alleged datasets. No Internal Collusion: CYBERSEC confirms that no Niva Bupa employee, executive, or contractor collaborated with or provided data to our team. We operate independently of the company and its affiliates.Accuracy Limitations: While we strive to validate claims through cross-referencing and technical analysis, CYBERSEC cannot guarantee the absolute authenticity of data shared by third-party threat actors.
Critical Notes
- CYBERSEC condemns xenZen’s actions, including harassment, deepfake abuse, and illegal data trading. We do not endorse or profit from these activities.
- This disclaimer does not absolve Niva Bupa of its legal and ethical obligations to safeguard customer data under India’s Digital Personal Data Protection Act (DPDP), 2023.
- CYBERSEC is not liable for third-party misuse of information referenced in our reports.
CYBERSEC Labs is a nonprofit collective dedicated to defending democracy in the digital age.