This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Insurance House / ProRisk

Summary

Insurance House, trading as ProRisk, was hit by a cyberattack in July 2019 in which criminals demanded a ransom payment. The insurance provider publicly stated it would not pay ransoms to cybercriminals, taking a strong stance against funding criminal enterprises. The attack disrupted business operations and potentially compromised customer insurance information, highlighting the insurance industry's vulnerability to ransomware despite being in the business of managing risk.

What Happened

Ransomware. Cybercriminals launched a ransomware attack against Insurance House's systems, encrypting data and demanding payment for its release. The attack potentially affected customer policy information, claims data, and personal details stored by the insurance provider. Insurance House's management made the decision not to pay the ransom, publicly stating "we don't pay ransoms" and instead focusing on restoring systems from backups and implementing security improvements. The company's refusal to pay aligned with law enforcement and cybersecurity guidance that discourages ransom payments, which fund further criminal activity and provide no guarantee of data recovery.

Impact on Individuals

  • Customer Data at Risk: Insurance policies, claims histories, and personal information potentially compromised
  • Service Disruption: Delays in policy management, claims processing, and customer service during recovery
  • Financial Information: Income details and asset information from insurance applications potentially exposed
  • Privacy Concerns: Uncertainty about what customer data the attackers accessed before encrypting systems
  • Contact Details: Names, addresses, phone numbers, and email addresses potentially stolen

The attack on an insurance provider was particularly ironic given the industry's role in helping others manage cyber risk.

Response

Insurance House immediately activated its incident response plan and engaged cybersecurity experts to contain the attack and investigate the breach. The company publicly announced it had refused to pay the ransom demand, sending a strong message about not negotiating with criminals. Insurance House worked to restore systems from backups while maintaining essential customer services through alternative means. The provider notified potentially affected customers and reported the incident to the Office of the Australian Information Commissioner. Enhanced security measures were implemented to prevent future attacks. The company reviewed its business continuity and disaster recovery procedures based on lessons learned from the incident. The breach prompted discussions within the insurance industry about cybersecurity preparedness and whether insurers were adequately protecting customer data while selling cyber insurance products to other businesses. +++

Verification Source: View original statement