Avis Car Rental, a subsidiary of Avis Budget Group, has disclosed a data breach that has compromised sensitive customer information. The breach occurred after attackers gained unauthorised access to one of Avis’s business applications, impacting customers across multiple locations.
The US-based car rental company first became aware of the breach on 5 August 2024. Following this discovery, Avis stated that it took immediate action to halt the unauthorised access. The firm claims to have initiated a thorough investigation with the assistance of external cybersecurity experts and reported the incident to the relevant authorities.
The investigation revealed that the attackers accessed the compromised business application from 3 August to 6 August 2024. On 14 August 2024, it was confirmed that the attackers had stolen personal information, including names, addresses, driver’s licence numbers, financial account information, and dates of birth of some customers.
Avis notified affected customers via letters sent out last week. The car rental company has advised all impacted individuals to remain vigilant against potential identity theft or fraud by closely monitoring their financial account statements and credit histories.
It is also offering a free one-year membership to Equifax’s credit monitoring service to assist affected customers in detecting and resolving identity theft issues.
To prevent future incidents, Avis has collaborated with cybersecurity experts to strengthen its security measures and implemented additional safeguards across its systems. The company has stated it is continuously reviewing and enhancing its security monitoring and controls to bolster its defences against such threats.
Rental car industry seemingly new target for hackers
The breach comes amid growing concerns over data security in the rental car industry, and Avis has not yet disclosed the exact number of customers affected by this breach. The company has also not provided detailed information about the nature of the attack or whether any additional sensitive data may have been compromised.
Avis operates over 5,500 rental locations in 165 countries. Its parent firm, Avis Budget Group, also owns a car-sharing network called Zipcar.
In 2022, Zipcar reported a data breach where hackers accessed an undisclosed number of customer accounts, obtaining personal information such as names, email addresses, and, in some cases, driver’s license numbers. Although financial information was not compromised, the breach raised concerns about the security measures employed by car-sharing services.
In a similar incident affecting the car rental sector, in early 2023, iRent faced a significant data breach where the personal information of 400,000 clients was left unprotected online without a password. The exposed data of the Taiwanese car rental and car-sharing platform exposed data included names, addresses, driver’s licence details, and payment information.
The company, operated by Hotai Motor, which manufactures Toyota vehicles in Taiwan, had to prepare a compensation package for those affected by the data leak.
In 2022, Sixt, a major global car rental company, was targeted in a cyberattack that caused temporary disruptions in April 2022. Sixt detected suspicious activity on its IT systems and quickly confirmed the attack.
As a precaution, the company restricted access to its systems and initiated recovery processes. Although the full impact of the breach was minimised, the incident highlighted the vulnerability of car rental companies to such attacks.
Sixt’s quick response is said to have likely prevented more severe damage, but it demonstrated how even large, well-established companies in the sector are not immune to cyber threats.
Apart from the car rental segment, there was a recent cybersecurity incident reported by Transport for London (TfL), which led to an investigation by the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC). Despite the seriousness of the situation, TfL, which oversees most of the transport network in London, stated that there is no evidence to suggest that customer data was compromised or that there was any disruption to its services.
Read more: Cybercrime and sabotage cost German companies €267bn in past year
