Avis alerts nearly 300K car renters that crooks stole their info

'Insider wrongdoing' to blame for security breach

Updated Avis Rent A Car System has alerted 299,006 customers across multiple US states that their personal information was stolen in an August security breach.

The digital break-in occurred between August 3 and August 6, according to the car rental giant in filings with the Maine and California attorneys general.

On August 14, Avis determined that sensitive info had been "obtained by the unauthorized third party," although the sample privacy breach notification letter redacted the specifics, so we can't say for sure what personal details were stolen.

Avis also cites "insider wrongdoing" under the security breach disclosure section in the Maine filing, but doesn't provide additional details about what happened.

"Since the incident occurred, we have worked with cybersecurity experts to develop a plan to enhance security protections for the impacted business application," the letter sent to affected consumers says [PDF].

"In addition, we have taken steps to deploy and implement additional safeguards onto our systems, and are actively reviewing our security monitoring and controls to enhance and fortify the same," it continues. 

The car rental company did not immediately respond to The Register's questions about the privacy breach and what specific customer info was accessed. We will update this story if and when we hear back from Avis.

According to San Francisco-based law firm Schubert Jonckheer & Kolbe, this information may include customers' names, addresses, dates of birth, driver's license numbers, and financial information (including account numbers and credit or debit card numbers).

In addition to indicating that the crooks did make off with people's credit card info, this also signals that a class-action lawsuit against Avis may soon be filed.

The rental company suggests that customers "remain vigilant against threats of identity theft or fraud," and is offering affected individuals a free, one-year membership to Equifax credit monitoring services. The deadline to apply for this is December 31. ®

Updated at 1800 UTC on September 11

The data theft wasn't limited to US customers as some Reg readers in the UK have let us know that they, too, received breach notification letters from Avis.

Plus, the info stolen from the rental car giant included drivers' financial information.

"We determined on 14 August 2024, that your personal data was obtained by the unauthorised third party, which included your name and your postal address, email address, driver's license, credit card number and expiration date, date of birth, and phone number," according to the data breach notification letters viewed by your humble vulture.

Still no official word from Avis in response to our questions about the digital break-in.

More about

TIP US OFF

Send us news


Other stories you might like