AI Autopsy: A Data Breach Down Under at Insurer Prosura

Last year, cybersecurity headlines were dominated by a series of catastrophic breaches at big-name multinational firms. But for every Jaguar Land Rover (JLR) and Marks and Spencer (M&S), there is a Prosura. The insurance specialist is little known outside of its native Australia. But the data breach it suffered at the start of the year offers a timely reminder of some evergreen cybersecurity best practices.

A bad start to the year

Prosura is a Brisbane-based agent for Australasian underwriter Pacific International Insurance. Also trading as Hiccup Insurance, it provides customers with insurance to cover their car rental excess, in the event a vehicle is accidentally damaged or stolen. On January 3, the firm identified unauthorised access to “a portion of our internal IT systems” by an unknown third party.

“We have temporarily taken some website functions offline as a precautionary measure. This includes the ability to purchase a policy, submit or manage a claim, or administer an existing policy via our self-service portal,” Prosura MD, Mike Boyd, said in an update on January 8. “While these services are offline, we are conducting an urgent review of our systems and put additional security measures in place to prevent reoccurrence.”

“Data like this commands a premium on criminal marketplaces compared to basic PII” Ed Ventham

Contact information, travel destinations, invoicing and pricing data, policy start and end dates, and potentially driver’s licenses and “related images” may have been taken, he added. It is because insurance companies aggregate high-trust data like this at scale that they have become “uniquely attractive targets”, according to Ed Ventham, co-founder of cyber insurance specialist Assured.

“Driver’s licences and ID images look like the most commercially valuable data in this breach from a threat actor and insurance perspective. Data like this enables high-confidence identity fraud, synthetic identity creation, and account takeover, and tends to command a premium on criminal marketplaces compared to basic PII,” Ventham tells Assured Intelligence.

“The combination of data is then what really increases the value further. Contact details plus travel history, policy dates, and pricing information allow attackers to build highly believable phishing and social engineering campaigns, because they create a complete profile of the victim.”

At the time of writing, there was no further word from the company on how the breach happened or how many individuals may have been impacted. But we can piece together more from other sources.

When breaches get personal

Prosura customers shared on a tech community forum that they had been emailed directly by the alleged threat actor in early January, in an attempt to pressure the insurer into paying a ransom.

“On 01/01/2026, Hiccup / Procura was hit by a data breach that not only crippled its systems but also leaked all consumer information, including full names, email addresses, phone numbers, invoices, and much more. I (the threat actor) attempted to reach out to Hiccup to try to patch this issue and possibly claim a bug bounty,” the email notes.

“Now this is a direct message to you, the consumer, regardless of what happens next. Your trust has already been broken – your information was put at risk due to ignored security practices, and the company failed to act even after being warned. I am currently trying to reach an agreement with the Hiccup / Prosura team to resolve this and ensure the data does not leak.”

The message, reposted by the forum user, also claims the company snubbed the threat actor’s outreach and “left the vulnerability open”. It addresses the Hiccup/Prosura HR team directly, demanding it contacts the threat actor’s email address to “get this sorted”, or else “everything will be leaked and ended here”.

According to the forum user victimised by the breach, the personalised message from the threat actor was appended to an official Prosura email. These are apparently automatically generated when policies are modified. This means the message included all of the recipient’s legitimate details, including policy number, full name, insurance period, and premium charged. The specific policies cited in the forum appear to have been purchased several years ago.

Time to talk

Rapid customer outreach is essential to mitigate such risks, argues Splunk field CTO, Lauren Wilson.

“This is where communication plans come into their own, and time is of the essence,” she tells Assured Intelligence. “Having pre-agreed external comms lines gives a starting point. But ideally organisations will have both a comms strategy and a governance structure in place to produce, approve and disseminate messaging in a timely way to reassure customers and external stakeholders.”

“Playbooks are often tested to emulate in-hours arrangements. Plan your next exercise to test just your out-of-hours response capability” Lauren Wilson

Incident response plans should “explicitly address” customer-targeted extortion scenarios, adds Black Duck CISO, Bruce Jenkins. “Organisations should have defined roles, legal and regulatory engagement, and a strong stance against ransom payments,” he tells Assured Intelligence. “Data minimisation, segmentation, and secure storage practices can also reduce the attacker’s leverage in such situations.”

Given the breach happened on New Year’s Day, both comms programmes in particular, and incident response processes in general, must be operational during public holidays, adds Keeper Security CISO, Shane Barney.

“Direct attacks on customers highlight the importance of encrypting sensitive information, classifying data appropriately and limiting retention, including for former customers,” he tells Assured Intelligence. “Organisations should assume exposed data may be used for social engineering and be prepared to provide clear guidance to customers on identifying suspicious communications.”

A ‘beg bounty’ hunter comes knocking

It remains to be confirmed how many individuals are impacted. Assured Intelligence reached out directly to Prosura for more information but received an apparently automated email that repeated the facts stated on the firm’s incident update page. The threat actor has posted for sale what they claim to be 98 million lines of data, relating to 500,000 individuals. Other estimates put the figure at more like 300,000.

On the face of it, the threat actor appears to be partly following the “beg bounty” playbook – where opportunistic hackers scan for public-facing vulnerabilities and try to extort companies into paying them to highlight the flaws. However, in this case, it’s debatable whether the ‘bounty hunter’ ever had an altruistic motive. They even refer to themselves in the customer email as a “threat actor”.

“Often bug bounty hunters can be noisy, so know how to spot genuine concerns” Nick Harris

Still, organisations should have strong vulnerability disclosure programmes in place, in case such outreach efforts are genuine, argues Assured CISO, Nick Harris. “Be fast to validate and patch,” he tells Assured Intelligence. “Often bug bounty hunters can be noisy, so know how to spot genuine concerns.”

Splunk’s Wilson goes further. “The real measure of maturity isn’t how much threat or vulnerability intelligence an organisation consumes; it’s whether it can reliably turn that information into action,” she argues.

“It is the intersection of these capabilities that is often overlooked: the convergence of vulnerability management, threat intelligence, and incident response is what builds great defensive capabilities. Most organisations still treat these as separate functions, but in reality, they are deeply interdependent, and playbooks should prepare for incidents originating from any part of the machinery.”

Building resilience

There are also lessons to be learned about cyber resilience. When disaster struck, Prosura was forced to take its self-service portal offline for close to two weeks. That meant customers couldn’t purchase policies or make claims – hitting the bottom line and end-user experience.

Given the timing of the initial breach, Wilson urges CISOs to test their 24/7 resilience. “Playbooks are often tested to emulate in-hours arrangements. Plan your next exercise to test just your out-of-hours response capability,” she advises. “Ensure incident management processes feed incident insights back into threat intelligence and vulnerability management to continuously improve defensive posture.”

The Prosura breach might seem like a long way away to UK CISOs – quite literally. But it can teach much about the evolving nature of cyber risk, and how to manage it.