Update September 09, 08:32 EDT: Revised title and story to include that the Avis data breach impacted over 299,000 customers.
American car rental giant Avis notified customers that unknown attackers breached one of its business applications last month and stole some of their personal information.
According to data breach notification letters sent to impacted customers on Wednesday and filed with California’s Office of the Attorney General, the company took action to stop the unauthorized access, launched an investigation with the help of external cybersecurity experts, and reported the incident to relevant authorities after learning of the breach on August 5.
This investigation revealed that the attacker accessed its business applications from August 3 until August 6, when the company evicted the malicious actor from its systems and blocked its access. On August 14, it also found that the attacker stole some customers’ personal information, including their names and other undisclosed sensitive data.
As revealed in a separate filing with Maine’s attorney general, the attackers stole the personal information of 299,006 Avis customers in the breach.
“We continue to further enhance our cybersecurity practices and defenses and are sending individual notifications to approximately 300,000 U.S. customers (less than 1% of our customer base) whose personal information was affected with offers of complimentary credit and identity monitoring services,” an Avis spokesperson told BleepingComputer.
Since the breach, Avis says it has worked with outside experts to strengthen security measures for the affected application and implemented additional safeguards across its systems.
The company added that it’s actively reviewing security monitoring and controls to bolster security defenses and warned customers of identity theft and fraud risks following the data breach.
“It is always a good idea to remain vigilant against threats of identity theft or fraud,” Avis told those whose personal information was stolen in the incident.
“You can do this by regularly reviewing and monitoring your account statements and credit history for any signs of unauthorized transactions or activity. You can contact the credit reporting agencies if you suspect any unauthorized activity.”
The car rental company also offered those affected a free one-year membership to Equifax’s credit monitoring service, which assists with identity theft detection and resolution.
Avis is a subsidiary of Avis Budget Group, a leading global mobility solutions provider that also owns Zipcar, the world’s leading car-sharing network. Its Avis and Budget car rental brands operate over 10,000 rental locations in 180 countries across North America, Europe, and Australasia. Avis Budget Group has reported more than $3.0 billion in revenues for the second quarter of 2024.
The company has not responded to multiple requests for comment from BleepingComputer asking for more information about the attack’s nature, the number of affected customers, and the other personal information stolen in the breach.
Source: www.bleepingcomputer.com