Thousands of Avis car rental customers had personal data stolen in cyberattack

Car rental giant Avis is notifying hundreds of thousands of people that their personal information and driver's license numbers were stolen in an August cyberattack.

The New Jersey-headquartered company said in a data breach notice filed with several U.S. attorneys general over the past week that it discovered intruders in one of its business applications on August 5 and took efforts to end the unauthorized access, which the company said began two days earlier.

Avis did not disclose the nature of the cyberattack and details of the incident remain scarce. An Avis spokesperson did not respond to an email requesting comment about the cyberattack.

In a data breach notice filed late last week with Iowa's attorney general, the car rental company said that the stolen information includes customer names, mailing addresses, email addresses, phone numbers, dates of birth, credit card numbers and expiration dates, and driverā€™s license numbers. It's not yet known why Avis stored this sensitive customer information in a way that allowed it to be compromised.

On Monday, a filing with Maine's attorney general revealed that Avis' data breach affects a total of 299,006 individuals to date. A separate filing with Texas' attorney general reported that Texas had the most affected state residents at 34,592 individuals.

Further data breach notices are expected to be filed in the coming weeks with the remaining attorneys general. It's not yet known if the number of individuals affected by the Avis data breach will rise.

Avis, which owns the Budget car hire and Zipcar car-sharing brands, has more than 10,000 rental locations in 180 countries, according to the company's most recent full-year financial earnings reported in February. Avis made $12 billion in revenue during 2023, and the company's chief executive Joeā€‹ Ferraro reported $10.2 million in total compensation that year.

It is not clear who at Avis oversees cybersecurity for the company.