Incident: Insurer Prosura hit by cyber data breach, customers contacted by ‘threat actor’ | ABC Australia
Australian Insurer Ransomware Attack, 07 January 2026
Queensland-based rental car insurer Prosura confirms a cyber incident as an alleged threat actor contacts victims
Customers of the car excess insurer, linked to rental site VroomVroomVroom may have had their data compromised including: names, phone numbers, email addresses, residence country, invoicing, pricing data, travel destinations and policy start and end dates.
Company Statement: Security Incident Affecting Prosura Services
Source: Insurer Prosura hit by cyber data breach, customers contacted by ‘threat actor’ | ABC Australia
View more incidents relating to the Banking and Finance sector and incidents from Queensland.
Car‑excess insurer Prosura (also trading as Hiccup) has experienced a significant cybersecurity incident involving unauthorised access to parts of its internal systems. The breach has resulted in customer data exposure and direct contact from a self‑described attacker. In response, Prosura has taken core systems offline and is working with cybersecurity specialists to contain and investigate the incident.
Statements from Hackers and Ransom Demands
ABC News reports that customers received emails from an individual claiming responsibility for the breach. The attacker alleges:
- They breached Prosura’s systems on 1 January 2026.
- The breach “crippled its systems” and resulted in access to “all consumer information.”
- They initially attempted to report the vulnerability as a bug bounty request, but claim Prosura ignored them.
- They threatened to leak all data unless Prosura contacted them.
- Emails referenced policy numbers and even claimed to add a “policy extension,” indicating access to internal data.
Prosura has not validated these claims and has advised customers not to engage with any suspicious communications.
Company Statements and Official Response
Prosura’s official incident notice outlines its response:
- Unauthorised access was detected on 3 January 2026.
- As a precaution, Prosura has disabled policy purchases, claims submissions, and customer portal access.
- The company has notified the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).
- External cybersecurity experts have been engaged to support containment and investigation.
- Prosura acknowledges that some customers received fraudulent emails and urges vigilance.
- Managing Director Mike Boyd emphasised that the company is taking the incident “extremely seriously.”
Extent of the Breach
Prosura has not disclosed the total number of affected customers, but both the ABC report and Prosura’s statement confirm that the following information may have been accessed:
- Names
- Email addresses
- Phone numbers
- Country of residency
- Travel destinations
- Invoicing and pricing data
- Policy start and end dates
- Claim data, including driver’s licences and images for customers who lodged claims
Payment Information – Prosura states it does not store credit card details, and there is no evidence that payment information was accessed.
Privacy Implications – The exposure of identity documents increases risks of:
- Identity theft
- Fraudulent account creation
- Targeted phishing and social engineering
Root Cause
Prosura has not disclosed the root cause. The attacker claims the breach resulted from an unpatched vulnerability they previously reported, but Prosura has not confirmed this.
Regulatory and Legal Considerations
Prosura has notified:
- ACSC
- OAIC
This aligns with obligations under Australia’s Notifiable Data Breaches (NDB) Scheme, which requires notification when a breach is likely to cause serious harm.
Regulators may examine:
- Whether Prosura had “reasonable security measures” in place
- The adequacy and timeliness of customer notifications
- Whether any alleged prior vulnerability disclosure (as claimed by the attacker) was mishandled
Timeline of Events
- 1 January 2026 – Attacker claims to have breached Prosura’s systems.
- 3 January 2026 – Prosura detects unauthorised access.
- 4 January 2026 – Prosura publishes its initial incident notice and disables online services.
- 6 January 2026 – ABC News reports customers receiving emails from the attacker.
- 8 January 2026 – Prosura issues an updated statement confirming ongoing investigation and customer outreach.
Company Actions to Inform and Minimise Impacts
Prosura has:
- Disabled online services to secure systems
- Engaged external cybersecurity specialists
- Implemented additional security controls
- Notified relevant regulators
- Warned customers about fraudulent emails
- Committed to contacting affected customers directly once investigations conclude
Incident History
Previous Incidents Related to the Company
There is no publicly available information indicating that Prosura has experienced prior cybersecurity incidents.
Recent Previous Incidents in the Insurance Industry
The insurance sector globally has been a frequent target of cyberattacks due to the high value of identity data, policy information, and claims documentation. Recent notable incidents include:
- Medibank (Australia, 2022)
Although a health insurer, Medibank’s breach remains one of Australia’s most significant, exposing millions of sensitive records and demonstrating the sector’s vulnerability. - Latitude Financial (Australia, 2023)
While not a traditional insurer, Latitude provided consumer credit and insurance‑related services. The breach exposed millions of identity documents, highlighting systemic weaknesses in identity verification ecosystems.
Common themes across these incidents:
- Identity documents and PII remain prime targets
- Ransomware and extortion‑based attacks dominate
- Third‑party and supply‑chain weaknesses amplify impact
- Incident response maturity varies widely across the sector
Industry Impact and Lessons to Learn
The Prosura incident reinforces several sector‑wide lessons:
- Vulnerability Disclosure Handling Is Critical
If the attacker’s claims are accurate, ignoring a vulnerability report can escalate into a full‑scale breach. - Identity Document Protection Must Be Prioritised
Driver’s licence images and numbers are high‑risk assets requiring strong access controls and minimisation. - Customer Communication Needs to Be Clear and Proactive
Uncertainty fuels distrust. Insurers must provide timely, transparent updates. - Third‑Party Ecosystems Expand the Attack Surface
Prosura’s connection to VroomVroomVroom highlights how interconnected systems can broaden exposure. - Cybersecurity Resilience Is a Core Insurance Capability
Operational shutdowns demonstrate that cyber incidents can directly impact service delivery and customer trust.
Summary
Prosura’s cybersecurity incident is a significant event affecting customers across Australia and New Zealand. While investigations continue, exposed data may include contact details, policy information, and identity documents for some customers. A self‑described attacker has contacted customers directly, increasing the urgency and risk profile of the incident.
This incident adds to a growing list of cyberattacks targeting the insurance sector globally and underscores the need for stronger vulnerability management, identity data protection, and transparent customer communication.











