U.S.-based car rental company Avis has reported a cyberattack, revealing that threat actors have exfiltrated data from its systems. Customers began receiving Avis data breach notifications on September 4, 2024, informing them that the company detected the cyberattack the previous month.
“We discovered on August 5, 2024, that an unauthorized third party gained access to one of our business applications,” said Avis in the letter filed with the California Office of the Attorney General.
“After becoming aware of the incident, we immediately took steps to end the unauthorized access, began an investigation with assistance from cyber security experts, and alerted the relevant authorities,” it added.
More Details on Avis Data Breach
Avis added that the cyberattack likely took place between August 3 and August 6 and data had been exfiltrated on August 14. The stolen data includes customer names and other sensitive data, which the firm did not disclose.
Post the breach, Avis said it has “worked with cyber security experts” in creating a plan to bolster its cyber security protections.
“Since the incident occurred, we have worked with cybersecurity experts to develop a plan to enhance security protections for impacted business applications. In addition, we have taken steps to deploy and implement additional safeguards onto our systems and are actively reviewing our security monitoring and controls to enhance and fortify the same,” read the statement by Avis.
The company has asked customers to be vigilant and report any suspicious activity.
“It is always a good idea to remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. You can contact the credit reporting agencies if you suspect any unauthorized activity,” Avis stated.
As mandated by law, the company is now providing identity theft or fraud prevention services by providing them a “complimentary one-year membership to Equifax”.
Since the company has not provided further details on the data breach and clarity on the threat actor, The Cyber Express has reached out to the Avis for further comments on the incident.
Rival Company Earlier Suffered Alleged Data Breach
Earlier this year in January, threat actors claimed to have stolen the data of 48,606,700 customers of Avis’s rival rental company Europcar.
The hacker, who was operating under the alias “Lean” on BreachForums, claimed to have stolen “full subdomains, administrator panels and (username, password, full name, address, city, zip, city of birth, city of issuance, passport number, expiration date, driver’s license number, email, number, bank)”.
The hacker also provided samples of the data belonging to 31 Europcar customers as proof of the data’s authenticity.
However, Europcar informed that the breach was fake and that the threat actor had created falsified records using Artificial Intelligence (AI).
“After being notified by a threat intel service that an account pretends to sell Europcar data on the dark net and thoroughly checking the data contained in the sample, we are confident that this advertisement is false,” said Europcar.
The car rental company said that the number of records listed is different to what Europcar has and that many of the email addresses and other details don’t exist, leading it to believe they are AI-generated. It also said that none of the listed email addresses are in its database.