Avis Car Rental has begun notifying close to 300,000 individuals about a data breach that occurred in August 2024, resulting in the theft of sensitive personal information. The breach reportedly exposed customer names, addresses, driver license numbers, and other personal data.
Following the discovery of the breach, Avis initiated an incident response plan, including engaging cybersecurity experts to assess the scope of the attack and bolster security. The company has contacted law enforcement, and the investigation is ongoing.
Once the breach was identified, Avis took immediate steps to secure its systems and prevent further unauthorized access. In addition to launching a forensic investigation, Avis informed law enforcement agencies to assist with the ongoing investigation. The company has not yet disclosed the exact methods used by the attackers or how long they may have had access to sensitive systems.
Avis said it is working closely with cybersecurity professionals and regulators to address the breach and implement stronger safeguards for the future.
"The breach at Avis highlights critical concerns surrounding automotive security and the handling of personally identifiable information (PII) in the industry," said Hemanth Tadepalli, Cybersecurity and Compliance Engineer at May Mobility. "Car rental agencies like Avis collect and store vast amounts of sensitive data, including customer names, addresses, and driver's license numbers, making it essential for them to prioritize robust cybersecurity protocols. These incidents highlight the vulnerability of this sector to increasingly sophisticated cyberattacks."
Tadepalli continued, "A major challenge lies in securing interconnected automotive systems and databases, where breaches can expose PII to unauthorized actors. Protecting this information is not just a regulatory requirement but a vital component of building customer trust in an industry that increasingly relies on digital services. Implementing advanced encryption methods, regular security audits, and comprehensive incident response plans should be the priority of cybersecurity strategies for organizations in the automotive sector."
Avis customers affected by the breach are urged to monitor their accounts for any signs of fraud or identity theft. The company is offering free credit monitoring services for affected individuals and has provided resources to help them protect their personal information.
"Avis' disclosure that the cause of the breach was insider wrongdoing, and their simultaneous reference to a third party, indicates that the perpetrator was either an employee of a business partner or one whose system was compromised by a remote attacker," said Venky Raju, Field CTO at ColorTokens. "Regardless, as the attacker already had a foothold in the network, they could access a critical business application and exfiltrate customers' personal information. This results from a flat enterprise network with no compartmentalization of systems."
"Perhaps the third-party partner was a parts supplier, however, the Avis servers they accessed could also access the customer management application and database," Raju said. "Enterprises should adopt a zero-trust strategy and implement micro-segmentation to ring-fence applications to prevent such unauthorized access. Traditional tools, such as endpoint detection and response, intrusion detection systems, etc., are helpful but often kick in too late to prevent a smash-and-grab-style attack like the one Avis experienced."
As the investigation continues, Avis will keep affected customers updated on the status of the breach and any additional steps they may need to take to safeguard their data. This incident serves as a reminder of the importance of strong data protection practices for companies handling large amounts of customer information.
"The Avis data breach is a stark reminder of the cybersecurity challenges facing the automotive and rental industries today," said Tamir Passi, Senior Product Director at DoControl. "It's encouraging to see Avis respond quickly by cutting off unauthorized access and bringing in cybersecurity experts. This rapid response, combined with their transparency in notifying affected customers and authorities, is crucial in mitigating damage and maintaining trust."
"What's concerning is the type of information that was accessed. Names, addresses, and driver's license numbers are a goldmine for identity thieves. Criminals could use this data to open fraudulent accounts, apply for loans, or even create fake IDs. It's a serious situation that affected customers will need to monitor closely," Passi added.
Avis Car Rental is part of Avis Budget Group, Inc., a car rental agency holding company based in New Jersey. Avis Car Rental operates approximately 5,500 locations in more than 165 countries.
The automobile industry in North America has been attacked more than a few times over the past few months, including the ransomware attack suffered by CDK Global, which impacted thousands of car dealers across North America.
Autonomous vehicle company practitioner adds more perspective
Tadepalli—whose company's mission is to reimagine transportation by developing and deploying autonomous vehicles that get people where they need to go safely, easily, and with a lot more fun—had more to say on the breach and the issue of cybersecurity for the automotive and related industries:
"The Avis breach also highlights the persistent threat posed by cybercriminals, or threat actors, who often target organizations handling large amounts of personal and financial information. These actors are typically motivated by the financial gain from exploiting stolen PII, which can be sold on the dark web or used for identity theft, fraud, or phishing attacks. In the automotive industry, where digital systems are becoming more interconnected, threat actors can leverage vulnerabilities in data management, third-party services, and connected platforms to gain unauthorized access to sensitive information.
To mitigate these risks, it is essential for organizations to thoroughly assess third-party vendors, such as credit card companies, through comprehensive vendor security assessments before they are integrated into their systems. Additionally, implementing User Entity Controls (UECs) is critical. These controls ensure that the organization's users—whether employees, partners, or vendors—adhere to strict access and security guidelines. By managing who can access what data, and ensuring secure authentication and authorization mechanisms, UECs help reduce the likelihood of internal or external threats.
The data exposed in breaches like this, including driver's license numbers and addresses, is highly valuable and can be used in combination with other personal details to facilitate sophisticated fraud schemes. Understanding the evolving techniques of threat actors is crucial, as they often use methods such as phishing, ransomware, and malware to infiltrate corporate networks.
Proactive measures, such as regular patching, endpoint security, and continuous monitoring of suspicious activity, are essential. Companies should also focus on data minimization strategies, encryption, and multi-factor authentication to make it harder for threat actors to extract useful information, even if a breach occurs.
For the automotive industry, which has become a frequent target—evidenced by recent attacks on companies like CDK Global—there is a growing need for comprehensive cybersecurity frameworks that address both operational security and the protection of PII. While credit monitoring services and transparent communication with affected customers help mitigate the short-term risks of identity theft and fraud, stronger preventative measures are crucial for long-term protection.
From a compliance standpoint, work with regulators to ensure compliance with all applicable data protection laws and cybersecurity regulations, including GDPR, CCPA, or any other local requirements. Adherence to these standards not only improves security but also helps mitigate legal risks.
Car rental services operate with a mix of internal databases and external integrations, such as partnerships with ride-hailing services, travel agencies, and insurance providers. Regulations should ensure secure APIs and data exchange mechanisms are in place to safeguard customer data, requiring organizations to verify that third-party partners comply with established cybersecurity standards. Car rental services should be mandated to implement continuous threat monitoring and detection systems across digital platforms (e.g., mobile apps, booking systems) to identify potential breaches in real time and take immediate corrective actions.
Regulations should compel car rental services to limit the collection of PII to what is strictly necessary for transactions. Furthermore, policies could dictate how long this data can be retained, and mandate secure deletion procedures after the data is no longer required. This should be part of the data retention and destruction of any company that is handling information such as this."