Car rental company Avis has suffered a data breach impacting nearly 300,000 customers after an unauthorized third party accessed a business application.
Based in Parsippany, New Jersey, Avis Car Rental is the subsidiary of Avis Budget Group, which also owns Zipcar, Flexcar, Budget Truck Rental, Payless Car Rental, and Budget Rent a Car. The parent company operates in 11,000 locations in 180 countries and reported $12.1 billion in annual revenue in 2023.
Avis says the attacker breached the company’s business application between August 3 and August 6, 2024, and was detected on August 5, 2024.
The car rental franchise responded by taking immediate steps to terminate the threat actor’s access, launching an investigation with external cybersecurity experts, and notifying California’s Office of the Attorney General and relevant authorities.
Avis Car Rental data breach exposes nearly 300,000 customers
Avis continued investigating the data breach and determined on August 14 that the attacker had obtained customer data, which included personally identifiable information.
“We are writing to inform you of a data security incident involving some of your personal information.”
The Zipcar sister company also filed a regulatory notice with the Office of the Maine Attorney General stating that the data breach stemmed from “insider wrongdoing” and impacted 299,006 people.
However, the company has not disclosed whether the data breach involved a third-party contractor or vendor.
Avis also did not disclose the nature of personal information involved, which could vary by individual, but included the “Name or other personal identifiers,” suggesting that credit cards and Social Security Numbers were not exposed.
The car rental company has notified data breach victims and offered 12 months of complimentary credit monitoring and identity restoration services with Equifax. It also advised impacted customers to remain vigilant for fraud by monitoring their financial statements and credit reports.
In addition, they should not hesitate to notify their financial institutions and relevant law enforcement authorities of any suspicious activity.
The car rental company is also working with external experts to bolster the security of the impacted business application.
“Since the incident occurred, we have worked with cybersecurity experts to develop a plan to enhance security protections for the impacted business application,” the company said.
Avis also enhanced its internal control and monitoring systems to prevent unauthorized individuals from accessing customer data in the future.
“In addition, we have taken steps to deploy and implement additional safeguards onto our systems, and are actively reviewing our security monitoring and controls to enhance and fortify the same,” the company added.
Car rental companies targeted by cyber attacks
Car rental companies are not among cybercriminals’ most preferred targets, but several have reported disruptive cyber attacks in the past few years.
In April 2022, Sixt Rent-a-Car, a German car rental company operating in over 2,000 locations in 110 countries suffered a cyber attack that disrupted its internal operations.
The cybersecurity incident also leaked personal information that included Social Security Numbers, driver’s license numbers, government and state ID numbers, health information, and financial account numbers.
In February 2021, a US-based Canadian car rental firm, Enterprise Holdings, suffered a Darkside ransomware attack affecting Discount Car and Truck Rentals brands. Shortly after, the cybercrime group threatened to publish 120 GB of allegedly stolen customer data if the company failed to pay the ransom.