A database containing nearly 50 million customer records reportedly stolen from car rental service Europcar has been put up for sale on a hacking forum, but questions have been raised over the data’s authenticity.
If legitimate, the leak would be one of the largest data breaches in recent years, and the nature of the stolen information would have exposed customers to a wide range of attacks.
As pointed out by Reddit’s head of security Matt Johansen on X (formerly Twitter), car rental companies require customers to hand over a lot of personal identifiable information (PII), including passports and driver’s licenses, which are much harder to rotate than exposed passwords.
Europcar, however, has said the database is fake. It said the records included in a sample of the data do not match those it has on file, with none of the leaked email address records corresponding to those in its own database.
In addition, Europcar speculated that the data may have been synthesized using generative AI, pointing to a series of discrepancies that look like hallucinations.
For example, the data includes non-existent addresses, ZIP codes that don’t match addresses, and both first and last names that do not correspond to those used in email addresses.
At the time of writing, the authenticity of the data has not been verified, but Huseyin Can Yuceel, security researcher at Picus Security, appeared confident the data was created using generative AI tools.
Read more
“The Europcar security incident unfolded like a classic Scooby Doo unmasking. In the space of a couple of hours, the infosec community went from analyzing the impact of one of the biggest data breaches of all time, to exposing an AI powered hoax.”
Can Yuceel argued this incident represents a novel attack vector being exploited by threat actors, using generative AI to create fake datasets that can be used to deceive and extort businesses.
“A far cry from initial reports of a data breach involving 50 million customers, this incident should be classified as an attempted social engineering attack. In social engineering attacks, it’s common for adversaries to manipulate their victims into sharing confidential information or executing malware to compromise the target system” he explained.
“In this case, it seems as though attackers tried to create panic and pressure their target into paying ransom for a false claim that they stole sensitive customer data.”
Questioning the role AI in fabricating data for extortion attempts
This debacle highlights AI’s offensive potential, according to Can Yuceel, who said businesses should take note of the extortion technique and adjust their incident response procedures accordingly.
“Adversaries are quick to adopt new techniques and tools, and the use of AI in cyber-attacks is becoming more commonplace. We, as defenders, should expect more AI-powered cyber-attacks in the near future.”
This interpretation has been challenged by other security experts, however, arguing the role of AI in fabricating the stolen data is not clear and could have been executed using legacy techniques.
Troy Hunt, founder and CEO at data breach site Have I Been Pwned, warned against jumping to the conclusion that AI was integral to this attack, citing his previous work on generating dummy data using software company Red Gate’s SQL data generator technology.
RELATED RESOURCE
Discover how you can harness generative AI's full potential
Hunt noted many of the email addresses were not synthesized, but lifted from records exposed in previous data breaches, arguing this confirms AI was definitely not involved in generating the leaked email addresses.
Regardless of AI’s role in the attack, the recommendations for businesses to protect themselves against falling for fabricated data breaches remains the same: always compare stolen records with internal databases to confirm the veracity of the breach before acting.
As such, Can Yuceel praised Europcar’s response to the incident by cross-checking the stolen data with that in their internal database.
“It appears that Europcar did its due diligence and followed the incident response best practices by confirming whether these claims were true. After analyzing the claim, they found that the data was fake and confirmed there was no breach.”
-
Pure Storage’s expanded partner ecosystem helps fuel Q3 growthNews The data storage vendor has announced a 16% year-over-year revenue hike in its latest earnings report, driven by continued channel and product investment
-
Partners have been ‘critical from day one’ at AWS, and the company’s agentic AI drive means they’re more important than everNews The hyperscaler is leaning on its extensive ties with channel partners and systems integrators to drive AI adoption
-
HPE selects CrowdStrike to safeguard high-performance AI workloadsNews The security vendor joins HPE’s Unleash AI partner program, bringing Falcon security capabilities to HPE Private Cloud AI
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
-
GitHub is awash with leaked AI company secrets – API keys, tokens, and credentials were all found out in the openNews Wiz research suggests AI leaders need to clean up their act when it comes to secrets leaking
-
Small businesses can't get cyber strategies up and running – here's whyNews SMBs are turning to outside help to shore up security as internal strategies fall flat
-
Using AI to code? Watch your security debtnews Black Duck research shows faster development may be causing risks for companies
-
Organizations warned of "significant lag" in deepfake protection investmentnews Defenses are failing to keep up with the rapidly growing attack vector, with most organizations being overconfident
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
Middlesbrough Council boosts cybersecurity spending, strategy in response to repeated cyberattacksNews Councils across the UK have publicly struggled with maintaining services in the face of major cyber disruption
