Cybercriminals are expanding their tactics beyond ransomware. They are now manipulating narratives and deploying disinformation. This strategy aims to destabilise organisations and tarnish reputations.

Take the recent case involving a leading insurance firm. A typical data breach? Not quite. This one goes much deeper. It’s not just a story of stolen data but a calculated attempt to destroy the career of the company’s CISO. And in doing so, it highlights the terrifying reality of how cyberattacks have evolved.

In this case, a hacker going by the name “xenZen” didn’t just breach the insurance company’s system. With a fabricated email, xenZen also tried to convince the world that the CISO was in on it, that they had willingly handed over sensitive data. The accusation sparked headlines, and the story began to spiral. But it wasn’t true.

The real story

On September 20, our research team at CloudSek detected that xenZen had posted an offer to sell 7TB of customer data stolen from the insurance firm. That’s 31 million people’s personal information, includ ing their names, addresses, and health records, up for grabs on the dark web. The breach itself was very real, and its scale was massive.

But when the hacker claimed that the CISO had leaked the data, we knew something was off.

Our investigation exposed that the supposed “proof” of the CISO’s involvement was fabricated. xenZen had doctored an email using a simple trick—altering the HTML code with the “inspect element” function. It was an easy way to make it look like the CISO had sent sensitive information, but it was a complete forgery.

The credentials that xenZen claimed to have received from the CISO? They were part of a separate credential breach already floating around on the dark web. The hacker found these credentials and used them to exploit a vulnerability in the company’s system.

Exploiting a technical flaw

Once xenZen had the stolen credentials, he didn’t need insider help to access the company’s database. He exploited an Insecure Direct Object Reference (IDOR) vulnerability in the company’s API, a type of security flaw that allows unauthorised users to access sensitive data simply by manipulating URLs. In this case, the flaw gave the hacker access to 7TB of customer information, allowing him to steal the data without raising any red flags.

But here’s the critical part—this was never about insider collusion. xenZen’s real goal was far more malicious. He didn’t just want the data; he wanted to destroy the reputation of the person responsible for protecting it.

In this case, we discovered that xenZen had a history of targeting Indian organisations, and his actions seemed to have a geopolitical angle.

Rahul Sasi is CEO & co-founder of CloudSek