Malware
Europcar Rejects Claims of Massive 50 Million User Data Breach, Asserts Information is Counterfeit
Europcar has denied suffering a data breach affecting 50 million users, claiming the data is fake. The car rental company investigated after a hacker group claimed to have stolen the data, but found no evidence of unauthorized access. Europcar has reported the incident to relevant authorities, including the UK Information Commissioner’s Office, and continues to monitor the situation.
Car rental company Europcar recently faced a situation where a threat actor claimed to be selling the personal information of 50 million customers. This person posted on a popular hacking forum, claiming to have the data of 48,606,700 Europcar.com customers.
The post included samples of the allegedly stolen data for 31 Europcar customers, which contained names, addresses, birth dates, driver’s license numbers, and other information.
However, after contacting Europcar, we were informed that the breach was fake and that the data was fabricated using artificial intelligence.
“After being notified by a threat intel service that an account pretends to sell Europcar data on the dark net and thoroughly checking the data contained in the sample, we are confident that this advertisement is false:
– the number of records is completely wrong & inconsistent with ours,
– the sample data is likely ChatGPT-generated (addresses don’t exist, ZIP codes don’t match, first name and last name don’t match email addresses, email addresses use very unusual TLDs),
– and most importantly: none of these email addresses are present in our database.”
As Have I Been Pwned’s Troy Hunt explains, while much of the data is clearly fake, he does not believe it was created using artificial intelligence.
Hunt pointed out that the email addresses do not match the usernames. For example, all usernames contain either a first or last name, but none match the full name listed in the data.
The second indicator that the data is fake is that the addresses simply do not exist. For example, two of the listed customer records use the non-existent towns of “Lake Alyssaberg, DC” and “West Paulburgh, PA.”
Another indicator is that the addresses and phone numbers are for regions in the U.S., yet many of the associated emails are for other countries.
While Europcar told us they believe this data was created using AI, Hunt points out that some of the email addresses are real, appearing in previous data breaches monitored by Have I Been Pwned.
Instead, Hunt believes the mention of artificial intelligence is just a hot take based on the subject’s popularity and was not involved in creating this data.
“We’ve had fabricated breaches since forever because people want airtime or to make a name for themselves or maybe a quick buck,” explains Hunt.
“Who knows, it doesn’t matter, because none of that makes it “AI” and seeking out headlines or sending spam pitches on that basis is just plain dumb.”
As pointed out by security researcher NexusFuzzy, there are existing projects that allow anyone to create data that looks almost exactly like what was shared in the fake data breach samples.
While threat actors already use artificial intelligence as part of their scams and attacks, and will likely expand its use in the future, this incident does not appear to be one of them.
A Call to Stay Informed and Vigilant
As the Europcar case shows, not everything you read or hear about is true. Cybersecurity is a complex field, and it’s essential to stay informed and vigilant. To protect yourself and your organization from evolving threats, you need to be aware of the latest trends, tactics, and strategies used by threat actors.
Remember to always question the authenticity of data, keep your systems up to date, and educate your employees about cybersecurity best practices. And, of course, keep coming back to us for the latest news and insights on cybersecurity. Contact us today to learn more about how we can help you stay ahead of the curve in this ever-changing digital landscape.