Incident Overview
Insurance provider Prosura, which also operates under the name Hiccup and specializes in rental car insurance for customers in Australia and New Zealand, has reported a data security incident. A self-identified "threat actor" has reportedly obtained personal information belonging to Prosura customers and has issued a threat to publicly disclose this data unless an agreement is reached with the company.
Company Response and Compromised Data
In response to the incident, Prosura has temporarily ceased the sale of new policies and shut down its online self-service portal to facilitate an ongoing investigation. The company has not released specific figures regarding the number of customers potentially affected.
Prosura's preliminary investigation, detailed in a public statement, indicated unauthorized access to specific sections of its systems on a Saturday. The data that may have been compromised includes customer names, email addresses, phone numbers, country of residency, travel destinations, invoicing and pricing data, and policy start and end dates. Additionally, data related to insurance claims, such as driver's licenses and associated images, may also have been accessed. Prosura has stated that there is no evidence suggesting credit card details were compromised, clarifying that such information is not stored by the company.
Prosura founder Mike Boyd confirmed that the company is conducting a thorough review of its systems, implementing additional security measures, and engaging with relevant authorities. Boyd also noted that the parties responsible for the breach have employed "aggressive tactics," which include direct communication with some customers. Prosura has advised its customers to refrain from responding to any suspicious emails, telephone calls, or text messages. The company is also aware that some customers have received "fraudulent emails" pertaining to older, completed policies.
Threat Actor's Allegations
An individual claiming responsibility for the cyber attack has sent emails directly to affected Prosura customers. This individual asserted that Prosura's systems were breached on New Year's Day, leading to the acquisition of "all consumer information," including full names, email addresses, phone numbers, and invoices. The threat actor stated a prior attempt to contact "Hiccup" to report the vulnerability and potentially claim a bug bounty, claiming these overtures were ignored. The email urged Prosura to initiate contact to resolve the situation, indicating that failure to do so would result in the public leakage of the data. The emails sent by the threat actor to victims included specific policy numbers and purported to offer a complimentary "policy extension" dated January 3.
Customer Impact and Concerns
A customer from New Zealand, who procured Prosura insurance while booking a rental car via vroomvroomvroom.com.au (a car rental comparison website under the same ownership as Prosura), confirmed receiving an email from the alleged threat actor. Upon seeking clarification from Prosura, the customer reported receiving a generalized response that largely replicated text from the company's public statements. The customer voiced apprehension regarding the exposure of personal details, particularly in relation to the potential for identity theft and fraud stemming from compromised full names and dates of birth.
Broader Context
This incident aligns with a pattern of significant cyber attacks experienced by Australian corporations in recent years. Notable breaches include those affecting Optus in 2022, law firm HWL Ebsworth in 2023, and Qantas in 2025. These events have underscored existing vulnerabilities within corporate information systems and have led to the exposure of personal data belonging to millions of individuals.