Europcar, the rental car giant, faced a potential security threat over the weekend when a user in a hacking forum claimed to possess stolen data from over 48 million Europcar customers.
However, Europcar asserts that the alleged breach appears to be a fabrication, potentially created using ChatGPT or a similar text-generating AI.
The company initiated an investigation following an alert from a threat intelligence service about the forum advertisement. Europcar spokesperson Vincent Vevaud expressed confidence in the data being false, citing several inconsistencies:
- The claimed number of records vastly differs from Europcar’s database.
- Sample data characteristics, such as nonexistent addresses, mismatched ZIP codes, and unusual top-level domains (TLDs) in email addresses, suggest it might be ChatGPT-generated.
- None of the provided email addresses were found in Europcar’s customer database.
The forum user, maintaining the authenticity of the data, failed to provide any supporting evidence. The advertised data supposedly included sensitive information like usernames, passwords, full names, addresses, ZIP codes, birth dates, passport numbers, and driver’s license numbers.
Independent analyses by Troy Hunt, from Have I Been Pwned, and TechCrunch further cast doubt on the legitimacy of the data. Hunt highlighted discrepancies in email addresses and usernames, while also noting that several listed home addresses were nonexistent.
Europcar’s swift response and thorough investigation underscore the ongoing challenges companies face in securing customer data amid evolving cybersecurity threats.