The AUS Prosura Breach: Critical Lessons for Financial Services Security

Data breach victims can sometimes be the last to hear about an incident, but following a New Year’s Day attack on Australian insurance company Prosura, they were among the first.

Someone claiming to be the threat actor allegedly sent emails from company systems to some (but not all) customers who had previously purchased rental car excess insurance (known as ‘deductible insurance’ in the US) through Prosura’s VroomVroomVroom website. They justified the attack by claiming that the company’s security teams had previously ignored their messages about security issues.

The fallout so far

They are now offering a data set for sale on a cybercrime forum that allegedly contains personal information relating to 300,000-500,000 customers. It claims to include names, ages, phone numbers, email addresses, and driver’s license information.

No financial information was stolen in this incident, but that could still change. Although the method behind this attack involved an undisclosed server-side compromise, Prosura still needs to be vigilant about post-breach risk to the VroomVroomVroom website and its supply chain, because the attacker has demonstrated their intent.   

The urgent need for layered security

Although the average cost of a data breach globally is $4.44 million, in the financial sector, it’s $5.56 million, so with 532 data breach notifications reported to Australia’s OAIC in the first half of 2025, the threat is real. Financial services companies like Prosura are a uniquely attractive target to criminals, so adopting a layered security approach to protect backend infrastructure and client-side vulnerabilities is essential.

Solutions like Reflectiz demonstrate how continuous monitoring can extend visibility beyond a company’s direct control. It maps and monitors the kind of supply chain risks that attackers often exploit.

Backend infrastructure protection: defending the vault

Backend security focuses on the systems that store, process, and move sensitive data:

• Core databases and APIs
• Identity and access management
• Servers, cloud infrastructure, and internal networks
• Fraud detection and transaction controls

These controls are designed to stop: 

• Credential theft and privilege escalation
• Database exfiltration
• Ransomware and system disruption
• Insider misuse

But here’s the catch: Backend security only protects what you know about and control. Once an attacker finds a way around it – or exploits a blind spot – the backend is exposed.

Client-side monitoring: protecting the front door that customers actually use

The client side is the live environment running in a customer’s browser:

• Web pages and forms
• JavaScript and third-party tags
• Analytics, marketing, and payment scripts

This layer is exposed to:

• Malicious JavaScript injection
• Supply-chain attacks via third-party vendors
• Web skimming and silent data exfiltration
• Page manipulation that bypasses backend controls entirely 

Crucially, client-side attacks don’t need to breach databases. They steal data before it ever reaches the backend – names, emails, policy details, quotes, even login credentials.

From a backend-only perspective, everything can look “normal” while customer data is being siphoned off in real time.

Why insurance and financial services are especially at risk

Companies like Prosura are prime targets because they combine:

• High-value personal and financial data
• Complex digital ecosystems (brokers, partners, insurers, reinsurers)
• Heavy reliance on third-party scripts 

Attackers know:

• A single injected script can affect thousands of customers
• Client-side compromises are harder to detect with traditional tools
• Regulatory penalties and brand damage amplify the impact

Why layered security is the only realistic defence today

Think of it as inside-out protection:

Backend controls stop attackers who get too far

Client-side monitoring, like Reflectiz, detects attackers before data is submitted, processed, or stored

Together, they provide:

• Earlier breach detection
• Visibility into third-party and supply-chain risk
• Protection against attacks that never touch the backend
• Stronger compliance posture and breach response readiness

The bottom line

Modern financial breaches rarely respect architectural boundaries. Attackers move fluidly between backend systems, websites, and third-party services.

If you only protect the backend, you’re guarding the vault while leaving the front door unmonitored, and Reflectiz has that covered. Layered security ensures that no matter where an attack starts, it has far fewer places to hide.