Data of nearly 300,000 exposed in Avis cyberattack

Car rental giant Avis said a cyberattack in August exposed the sensitive information of almost 300,000 people across several U.S. states.

None of the data breach notifications, which were first reported by BleepingComputer, say what information was taken during the cyberattack. 

But the letters say the company discovered the attack on August 5. An investigation revealed that the hackers had access to Avis systems from August 3 to August 6. 

By August 14, the company determined that names and other pieces of personal information were accessed by the hackers. Victims are being offered one year of credit monitoring services. 

Breach notifications letters were filed with regulators in California, Maine, Texas, Massachusetts, Vermont and several other states. 

The company did not respond to requests for comment about how many people were affected and what information was exposed, but the filing in Maine says 299,006 people had data stolen. 

Avis, headquartered in New Jersey, reported revenues of $3 billion for the second quarter of 2024. Avis is the one of the largest U.S. car rental companies alongside other firms like Hertz, Enterprise and Budget. 

The incident has caused alarm among renters in light of the startling expansion in data collection practices by car companies. Most people now sync their smartphones to cars — even rental cars — exposing troves of sensitive information to vehicles that are then handed back to agencies like Avis. 

Earlier this year, truck rental company U-Haul said 67,000 people in the U.S. and Canada had driver’s license numbers and other identification card numbers leaked during a cyberattack.