Cybercriminals Steal Personal Data from Avis

US car rental company, Avis, has announced that personal information and driving license numbers belonging to hundreds of thousands of customers have been stolen. TechCrunch reported that the information was stolen during the Avis car rental cyberattack that occurred in August.

According to a breach notification published by the Office of the Attorney General of Maine, a total of 299,006 customers were affected by the data breach. The notice attributes the breach to insider wrongdoing. However, the attached letter does not make any reference to any Avis employee.

Unauthorized Access

Last week Avis filed a data breach notice with multiple attorneys general in the US. In the notice, the New Jersey-based company said that it noticed unauthorized access and took action to end the intrusion.

“We discovered on August 5, 2024, that an unauthorized third party gained access to one of our business applications. After becoming aware of the incident, we immediately took steps to end the unauthorized access, began an investigation with assistance from cybersecurity experts, and alerted the relevant authorities. Based on our investigation, we determined that the unauthorized access occurred between August 3, 2024, and August 6, 2024,” Avis said in a report.

Details about the Avis car rental hit remain scarce since the company has not made public information about the type of cyberattack it’s handling.

Stolen Data

In a data breach notice filed with Iowa’s attorney general last week, Avis provided details of the data that cybercriminals stole during the August cyberattack. Avis personal data that was stolen includes customer names, email addresses, date of birth, mailing addresses, phone numbers, driver’s license numbers, and credit card numbers and their respective expiry dates.

It remains unclear why the car rental company stored such sensitive customer data in a manner that compromised its security. Texas appeared to have the highest number of affected individuals. The data breach notice filed with the attorney general’s office in the state showed that data belonging to 34,592 individuals was stolen.

Avis is expected to file more data breaches in the coming weeks. It’s unclear whether the number of individuals affected by the breach will increase from the 299,006 reported in the Maine notice.

Security Measures

Avis has advised its customers to remain vigilant amidst the identity theft threat. The company has offered affected customers free credit monitoring with Equifax for 12 months.

“It is always a good idea to remain vigilant against threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. You can contact the credit reporting agencies if you suspect any unauthorized activity” Avis said.

Following the security breach, Avis is working with cybersecurity experts to boost security protection for its business applications, particularly those that were targeted in the breach.

“We have taken steps to deploy and implement additional safeguards onto our systems, and are actively reviewing our security monitoring and controls to enhance and fortify the same,” the company added.

Avis owns the Zipcar and Budget Rent-a-Car brands. The company has over 10,000 car rental locations spread across 180 countries. In 2023, Avis generated $12 billion in revenue.