Avis notifies customers of data breach

Personal Information of nearly 300,000 car rental customers exposed

Car rental giant Avis is alerting hundreds of thousands of customers that their sensitive personal information was stolen in a major cyberattack that took place in August.

The New Jersey-based company disclosed in several filings with US attorneys general that the breach involved a business application targeted by intruders, who were able to access personal details of approximately 300,000 customers.

The attack began on 3rd August and was discovered by the company two days later, on 5th August.

The investigation revealed that hackers had access to Avis systems between 3rd August and 6th August, during which time they managed to obtain names and other personal information.

The compromised data includes highly sensitive information: customer names, email addresses, phone numbers, dates of birth, mailing addresses, driver's licence numbers and credit card numbers along with their expiration dates.

Avis says it took immediate steps to halt the unauthorised access, although the company has not revealed the precise nature of the attack, nor how the hackers gained entry into its systems.

While the possibility of ransomware involvement cannot be entirely ruled out, there is no indication of any disruptions to Avis' services.

Details of the incident remain limited, leaving many questions about the company's data storage and cybersecurity practices.

"We continue to further enhance our cybersecurity practices and defences and are sending individual notifications to approximately 300,000 US customers (less than 1% of our customer base) whose personal information was affected with offers of complimentary credit and identity monitoring services," an Avis spokesperson told BleepingComputer.

Avis, a global presence in the car rental industry with more than 10,000 locations in 180 countries, has filed breach notifications [pdf] with several US states, including Iowa, Maine and Texas.

A filing with the Office of the Maine Attorney General indicates that 299,006 customers were impacted by the breach.

Additional filings indicated that Texas residents were hit hardest, with 34,592 individuals affected. The company expects to file further notifications in the coming weeks as it continues to assess the extent of the breach.

It remains unclear whether the total number of affected individuals will rise as more data becomes available.

Avis has not disclosed why such a broad range of personal data, including sensitive financial and identification information, was stored in a way that allowed it to be compromised.

Avis Budget Group, the parent company of Avis, is a leading global mobility solutions provider with a significant presence in North America, Europe and Australasia. The breach comes at a time when the company has reported strong financial performance, with revenues exceeding $3 billion in the second quarter of 2024.

Despite the company's size and profitability, the identity of the person or unit within Avis that's responsible for overseeing its cybersecurity efforts has not been made clear.

As Avis continues to notify customers, affected individuals are being advised to monitor their financial accounts and credit reports closely for any signs of suspicious activity. The company is offering affected customers one year of credit monitoring services to help mitigate the potential risks associated with the data breach.

Avis is not the only rental firm to suffer a data breach this year. Truck rental firm U-Haul was hit by an attack that exposed driver's licence numbers and other personal details of 67,000 individuals in the US and Canada.