Share this article on:
Car rental organisation Avis has begun informing its customers that threat actors successfully launched a cyber attack on its systems and exfiltrated data.
Avis sent a data breach notification to its customers on Wednesday (4 September), informing them that it had discovered the cyber attack last month.
“We discovered on August 5, 2024, that an unauthorised third party gained access to one of our business applications,” said Avis in the letter, which was filed with the California Office of the Attorney General.
“After becoming aware of the incident, we immediately took steps to end the unauthorised access, began an investigation with assistance from cyber security experts, and alerted the relevant authorities.”
Avis added that the attack likely occurred between 3 August and 6 August and that on 14 August, it found that data had been exfiltrated, which included customer names and other sensitive data, which it did not disclose.
Following the breach, Avis said it has “worked with cyber security experts” in creating a plan to bolster its cyber security protections and response and added additional safeguards to prevent a repeat incident.
Additionally, it has provided customers advice on how to best prevent being further affected by identity theft or fraud and provided them a “complimentary one-year membership to Equifax”.
At this stage, the nature of the incident is unknown, and no threat actor has been identified. Cyber Daily has reached out to Avis for further comment on the incident.
Earlier this year, threat actors claimed to have stolen the data of 48,606,700 customers of rival rental company Europcar.
The threat actor, who went by the name “Lean” on BreachForums, claimed to have stolen “full subdomains, administrator panels and (username, password, full name, address, city, zip, city of birth, city of issuance, passport number, expiration date, driver’s license number, DNi email, number, bank)”.
The threat actor also posted samples of the data belonging to 31 customers as verification of the data’s authenticity.
However, responding to an inquiry from BleepingComputer, Europcar said the breach was fake and that the threat actor had created falsified records using artificial intelligence (AI).
“After being notified by a threat intel service that an account pretends to sell Europcar data on the dark net and thoroughly checking the data contained in the sample, we are confident that this advertisement is false,” said Europcar.
The car rental company said that the number of records listed is different to what Europcar has and that many of the email addresses and other details don’t exist, leading it to believe they are AI-generated.
It also said that none of the listed email addresses are in its database.