Avis Car Rental, part of the Avis Budget Group, has disclosed a data breach that exposed sensitive customer information. The incident affected approximately 300,000 clients, with attackers gaining unauthorised access to one of Avis’ business applications.
In a letter to customers, which was also shared with attorneys general throughout the country, Avis disclosed a data breach that occurred between August 3 and August 6, this year. When the company discovered the breach, it responded quickly to stop unauthorised access.
According to company statement in letter:
Since the incident occurred, we have worked with cybersecurity experts to develop a plan to enhance security protections for the impacted business application. In addition, we have taken steps to deploy and implement additional safeguards onto our systems.
The company found on August 14 that names and other confidential information had been compromised, along with other personal information belonging to some of their customers.
Avis investigated with the help of external cybersecurity experts and reported the incident to right authorities. The breach has affected customers in multiple locations, potentially compromising their personal data.
In a separate report with the Maine Attorney General, it was discovered that the attackers got the personal information of 299,000 Avis customers. According to Avis’ notification to Iowa’s attorney general, the stolen data varied per customer, but it included names, postal addresses, email addresses, dates of birth, phone numbers, driver’s license information, and credit card numbers.
Cybersecurity Concerns Rise After Avis Data Breach
The data breach at Avis has heightened concerns about data security within the car rental industry. The company has not disclosed the full extent of the breach or whether additional personal data was compromised, nor has it provided an exact number of affected customers.
Avis, headquartered in New Jersey, recorded revenues of $3 billion in the second quarter of 2024, making it one of the major automobile rental companies in the United States, alongside Hertz, Enterprise, and Budget.
The incident is a part of a concerning pattern of cyberattacks targeting the car industry. For example, hundreds of dealerships throughout North America were impacted by the ransomware attack that recently hit CDK Global.
In a similar case in 2023, Taiwanese car rental site iRent disclosed that 400,000 clients’ personal information, including names, addresses, driver’s license numbers, and payment details, had been compromised due to inadequate security measures.
Transport for London (TfL), which oversees the majority of London’s transport network, recently had a cybersecurity breach, prompting an inquiry by the National Crime Agency (NCA) and the National Cyber Security Centre (NCSC).
Despite the seriousness of the incident, TfL assured the public that no customer information had been compromised and that there would be no disruption to transit services.
Although this statement provides users with some confidence, it also highlights the ongoing risk that large, linked systems like London’s transit network pose to attackers.
Avis is providing affected customers with free Equifax credit monitoring and identity restoration services for one year. But that just protects Equifax, so you still need to keep an eye on your credit reports from TransUnion and Experian as well.
Avis recommends that affected customers remain cautious for any indications of identity theft or fraud. It is highly advised that you regularly check your bank accounts and use the free credit monitoring service.
Experts suggest using two-factor authentication and updating passwords as additional security measures. Be cautious when clicking on links in emails or SMS messages, as they may lead to malicious software. Avoid sharing your banking information or Social Security number unless absolutely necessary to prevent unauthorised access or identity theft.
At Phishing Tackle, we know all too well that security technology is often left incorrectly configured, demonstrated by our free Domain Spoofing Test which currently gets past around 50% of users’ security systems.
Security Awareness Training remains one of the most cost-effective methods of boosting cyber-security within your business. Have a look at our free Click-Prone® Test to find out how many of your staff are susceptible to a phishing attack and learn how you can reduce this number today.