Prosura is managing a cyber incident that resulted in unauthorised access to parts of its systems and a temporary shutdown of key customer self-service functions. Managing director and founder Mike Boyd confirmed on Jan. 4 that the company is responding to the incident, which it identified a day earlier. Prosura has disabled the ability for customers to buy policies, lodge, or manage claims, and administer existing policies through its online self-service portal while investigations are under way. The company has also reported that some policyholders have received emails relating to older, completed policies that appear to reference the incident and direct recipients to a third-party email address. Prosura has described these as fraudulent emails and is advising customers not to respond.
Prosura’s initial assessment indicates that the incident may have involved both personal and policy information. Data that may have been accessed includes names, email addresses, telephone numbers, country of residency, travel destinations, invoicing and pricing information, and policy start and end dates. The company has also stated that claim-related information could be affected, including driver licence details and associated images.
Prosura has said there is currently no evidence that payment card data has been accessed and noted that it does not store credit card details. The insurer has brought in specialist cybersecurity advisers to assist with the investigation and remediation of affected systems. It has set up an incident page on its website, where it is publishing updates, FAQs, and other information for customers.
In comments reported by the ABC, Boyd said Prosura is “conducting an urgent review of our systems and put additional security measures in place to prevent recurrence,” and that authorities are being notified. “The individual or individuals responsible have engaged in aggressive tactics to apply pressure on our business, including contacting some customers directly. We ask that all customers please not respond to any email, telephone, or text messages that seem suspicious. We are working to ensure that all appropriate action is taken in response to this incident. To protect the integrity of our investigation and response, we cannot provide further information on this at this time,” Boyd said.
A person claiming responsibility for the attack has emailed some customers, stating that they breached Prosura’s systems on New Year’s Day in a “data breach that not only crippled its systems but also leaked all consumer information, including full names, email addresses, phone numbers, invoices, and much more.” The self-identified threat actor said: “I [the threat actor] attempted to reach out to Hiccup to try to patch this issue and possibly claim a bug bounty,” and alleged that Prosura had “completely ignored my message and left the vulnerability open, which is insane.”
The email calls on Prosura to respond “to get this sorted” and warns, “I’m done playing this game with you. We need to get this resolved, or everything will be leaked and ended here.” Some of the emails reportedly reference the recipient’s policy number and refer to a free “policy extension” dated Jan. 3.
Prosura has said that policy coverage remains in place and that the incident does not affect policy validity. Customers with upcoming trips can continue with their travel plans under existing policies. While the online portal is unavailable, the company has asked customers needing claims assistance to contact help@prosura.com with “Claim” in the subject line so staff can process claims manually.
Customers are being advised not to reply to unsolicited or unexpected messages, not to use any third-party email addresses mentioned in such communications, and not to click on links or open attachments in emails they were not expecting. Prosura has also advised customers to be alert to phishing across email, phone, and SMS channels and to check the incident page on its website for updated information. In a statement titled “Our commitment,” Prosura said it aims to protect affected customers, provide support, and restore services. It has said it will issue further updates when it has a clearer understanding of the scope of data involved.
The Prosura incident occurs against a wider backdrop of persistent cyber and privacy risk for Australian organisations, including insurers and intermediaries. In the first half of 2025 (H1 2025), the Office of the Australian Information Commissioner (OAIC) received more than 500 eligible data breach notifications, with malicious or criminal attacks the leading cause and cybersecurity incidents a key driver.
On average, cyber incidents notified to the OAIC in that period affected large numbers of individuals, reflecting the scale of potential impact when core systems are compromised. Global analysis by IBM has put the mean cost of a data breach for organisations in 2024 at more than US$4 million, indicating the financial and operational implications for regulated entities. Health organisations accounted for the largest share of reported breaches to the OAIC in that period, followed by finance and then Australian government agencies.
