Select Page

Incident: Insurer Prosura hit by cyber data breach, customers contacted by ‘threat actor’ | ABC Australia

Incident: Insurer Prosura hit by cyber data breach, customers contacted by ‘threat actor’ | ABC Australia

Australian Insurer Ransomware Attack, 07 January 2026

Queensland-based rental car insurer Prosura confirms a cyber incident as an alleged threat actor contacts victims

Customers of the car excess insurer, linked to rental site VroomVroomVroom may have had their data compromised including: names, phone numbers, email addresses, residence country, invoicing, pricing data, travel destinations and policy start and end dates.

Company Statement: Security Incident Affecting Prosura Services
Source: Insurer Prosura hit by cyber data breach, customers contacted by ‘threat actor’ | ABC Australia

View more incidents relating to the Banking and Finance sector and incidents from Queensland.

Car‑excess insurer Prosura (also trading as Hiccup) has experienced a significant cybersecurity incident involving unauthorised access to parts of its internal systems. The breach has resulted in customer data exposure and direct contact from a self‑described attacker. In response, Prosura has taken core systems offline and is working with cybersecurity specialists to contain and investigate the incident.

Statements from Hackers and Ransom Demands

ABC News reports that customers received emails from an individual claiming responsibility for the breach. The attacker alleges:

  • They breached Prosura’s systems on 1 January 2026.
  • The breach “crippled its systems” and resulted in access to “all consumer information.”
  • They initially attempted to report the vulnerability as a bug bounty request, but claim Prosura ignored them.
  • They threatened to leak all data unless Prosura contacted them.
  • Emails referenced policy numbers and even claimed to add a “policy extension,” indicating access to internal data.

Prosura has not validated these claims and has advised customers not to engage with any suspicious communications.

prosura breach notification 2

Company Statements and Official Response

Prosura’s official incident notice outlines its response:

  • Unauthorised access was detected on 3 January 2026.
  • As a precaution, Prosura has disabled policy purchases, claims submissions, and customer portal access.
  • The company has notified the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).
  • External cybersecurity experts have been engaged to support containment and investigation.
  • Prosura acknowledges that some customers received fraudulent emails and urges vigilance.
  • Managing Director Mike Boyd emphasised that the company is taking the incident “extremely seriously.”

Extent of the Breach

Prosura has not disclosed the total number of affected customers, but both the ABC report and Prosura’s statement confirm that the following information may have been accessed:

  • Names
  • Email addresses
  • Phone numbers
  • Country of residency
  • Travel destinations
  • Invoicing and pricing data
  • Policy start and end dates
  • Claim data, including driver’s licences and images for customers who lodged claims

Payment Information – Prosura states it does not store credit card details, and there is no evidence that payment information was accessed.
Privacy Implications – The exposure of identity documents increases risks of:

  • Identity theft
  • Fraudulent account creation
  • Targeted phishing and social engineering

Root Cause

Prosura has not disclosed the root cause. The attacker claims the breach resulted from an unpatched vulnerability they previously reported, but Prosura has not confirmed this.

Regulatory and Legal Considerations

Prosura has notified:

  • ACSC
  • OAIC

This aligns with obligations under Australia’s Notifiable Data Breaches (NDB) Scheme, which requires notification when a breach is likely to cause serious harm.
Regulators may examine:

  • Whether Prosura had “reasonable security measures” in place
  • The adequacy and timeliness of customer notifications
  • Whether any alleged prior vulnerability disclosure (as claimed by the attacker) was mishandled

Timeline of Events

  • 1 January 2026 – Attacker claims to have breached Prosura’s systems.
  • 3 January 2026 – Prosura detects unauthorised access.
  • 4 January 2026 – Prosura publishes its initial incident notice and disables online services.
  • 6 January 2026 – ABC News reports customers receiving emails from the attacker.
  • 8 January 2026 – Prosura issues an updated statement confirming ongoing investigation and customer outreach.

Company Actions to Inform and Minimise Impacts

Prosura has:

  • Disabled online services to secure systems
  • Engaged external cybersecurity specialists
  • Implemented additional security controls
  • Notified relevant regulators
  • Warned customers about fraudulent emails
  • Committed to contacting affected customers directly once investigations conclude

Incident History

Previous Incidents Related to the Company
There is no publicly available information indicating that Prosura has experienced prior cybersecurity incidents.

Recent Previous Incidents in the Insurance Industry
The insurance sector globally has been a frequent target of cyberattacks due to the high value of identity data, policy information, and claims documentation. Recent notable incidents include:

  1. Medibank (Australia, 2022)
    Although a health insurer, Medibank’s breach remains one of Australia’s most significant, exposing millions of sensitive records and demonstrating the sector’s vulnerability.
  2. Latitude Financial (Australia, 2023)
    While not a traditional insurer, Latitude provided consumer credit and insurance‑related services. The breach exposed millions of identity documents, highlighting systemic weaknesses in identity verification ecosystems.

Common themes across these incidents:

  • Identity documents and PII remain prime targets
  • Ransomware and extortion‑based attacks dominate
  • Third‑party and supply‑chain weaknesses amplify impact
  • Incident response maturity varies widely across the sector

Industry Impact and Lessons to Learn

The Prosura incident reinforces several sector‑wide lessons:

  • Vulnerability Disclosure Handling Is Critical
    If the attacker’s claims are accurate, ignoring a vulnerability report can escalate into a full‑scale breach.
  • Identity Document Protection Must Be Prioritised
    Driver’s licence images and numbers are high‑risk assets requiring strong access controls and minimisation.
  • Customer Communication Needs to Be Clear and Proactive
    Uncertainty fuels distrust. Insurers must provide timely, transparent updates.
  • Third‑Party Ecosystems Expand the Attack Surface
    Prosura’s connection to VroomVroomVroom highlights how interconnected systems can broaden exposure.
  • Cybersecurity Resilience Is a Core Insurance Capability
    Operational shutdowns demonstrate that cyber incidents can directly impact service delivery and customer trust.

Summary

Prosura’s cybersecurity incident is a significant event affecting customers across Australia and New Zealand. While investigations continue, exposed data may include contact details, policy information, and identity documents for some customers. A self‑described attacker has contacted customers directly, increasing the urgency and risk profile of the incident.

This incident adds to a growing list of cyberattacks targeting the insurance sector globally and underscores the need for stronger vulnerability management, identity data protection, and transparent customer communication.

 

 


About The Author

Steven Kirby

I provide independent and practical consultancy services through raising awareness and fostering the energy for change that delivers improved business management of information security governance, risk and compliance.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please follow the Source link to the original article to support the content owner. We only provide a brief summary with metadata to assist in categorisation.

More Australian News

Telstra outage: 'Software defect solution' in place after hundreds unable to call Triple Zero in outage

Telstra has implemented a fresh "solution" to resolve a secondary software defect that left hundreds of customers unable to make Triple Zero calls … [...]

Stolen Credentials Put Australia’s Critical-Infrastructure Defenses on the Clock

In critical infrastructure, the most dangerous breach is not always the one that breaks a firewall. Sometimes it is the one that looks like normal … [...]

Telstra outage fallout: Triple-Zero not fully restored, V/Line services still offline | ABC NEWS

Victoria's regional rail network remains at a standstill following a nationwide telecommunications outage yesterday that stranded commuters. Passengers are being urged not to travel on V/Line services if possible. Telstra [...]

Questions asked about telco regulation after Telstra suffers outage

Experts and advocates have demanded changes to how telecommunication companies are regulated and held accountable for outages after Telstra became … [...]

Scammers use AI image to target parents of WA missing man

Extortionists have sent the parents of a missing West Australian man an AI-generated image of their son and demanded thousands of dollars in exchange … [...]

Telstra outage halts regional train services in Victoria, NSW | ABC NEWS

A nationwide outage to Telstra services has caused all regional train services in Victoria to halt, as well as stopping two key branch lines in the NSW Southern Highlands and [...]

Telstra outage brings Victorian regional rail network to a halt

A crippling statewide cancellation of Victoria's regional trains, linked to a Telstra outage, is likely to continue disrupting services into Thursday … [...]

Select Committee on Cyber Security for Small to Medium Sized Businesses and Organisations: Inquiry into cyber security for small to medium sized … [...]

Doctors’ soaring use of AI scribes prompts Australian government warning over privacy

Exclusive: With the technology fast becoming popular in GP surgeries, regulators are monitoring its implementation and potential pitfalls [...]

Government denies considering a ban on VPNs

The Government has denied it is considering banning or restricting the use of Virtual Private Networks (VPNs) as part of its work on reducing social … [...]

AFP, FBI sign intelligence-sharing memorandum of understanding

Australian Federal Police Commissioner signs several MOUs with US partners in the lead-up to addressing the United Nations Chiefs of Police Summit. • … [...]

Telstra outage: 'Largely returned to business as usual' after nationwide crash

Telstra says its services have been mostly restored after its network suffered a major, nationwide outage that left potentially millions of … [...]

Shares
Share This

Discover more from Australian Cyber Aware

Subscribe now to keep reading and get access to the full archive.

Continue reading