Car rental company Europcar says it has not suffered a data breach and that shared customer data is fake after a threat actor claimed to be selling the personal info of 50 million customers.
On Sunday, a person claimed to be selling the data for 48,606,700 Europcar.com customers on a popular hacking forum.
The post included samples of the stolen data for 31 alleged Europcar customers, including names, addresses, birth dates, driver’s license numbers, and other information.
However, after contacting Europcar last night, BleepingComputer was told that the breach was fake and that the data was fabricated using artificial intelligence.
“After being notified by a threat intel service that an account pretends to sell Europcar data on the dark net and thoroughly checking the data contained in the sample, we are confident that this advertisement is false:
– the number of records is completely wrong & inconsistent with ours,
– the sample data is likely ChatGPT-generated (addresses don’t exist, ZIP codes don’t match, first name and last name don’t match email addresses, email addresses use very unusual TLDs),
– and most importantly: none of these email addresses are present in our database.”
As Have I Been Pwned’s Troy Hunt explains, while much of the data is clearly fake, he does not believe it was created using artificial intelligence.
Hunt pointed out that the email addresses do not match the usernames. For example, all usernames contain either a first or last name, but none match the full name listed in the data.
The second indicator that the data is fake is that the addresses simply do not exist. For example, two of the listed customer records use the non-existent towns of “Lake Alyssaberg, DC” and “West Paulburgh, PA.”
Another indicator is that the addresses and phone numbers are for regions in the U.S., yet many of the associated emails are for other countries.
While Europcar told BleepingComputer they believe this data was created using AI, Hunt points out that some of the email addresses are real, appearing in previous data breaches monitored by Have I Been Pwned.
Instead, Hunt believes the mention of artificial intelligence is just a hot take based on the subject’s popularity and was not involved in creating this data.
“We’ve had fabricated breaches since forever because people want airtime or to make a name for themselves or maybe a quick buck,” explains Hunt.
“Who knows, it doesn’t matter, because none of that makes it “AI” and seeking out headlines or sending spam pitches on that basis is just plain dumb.”
As pointed out by security researcher NexusFuzzy, there are existing projects that allow anyone to create data that looks almost exactly like what was shared in the fake data breach samples.
While threat actors already use artificial intelligence as part of their scams and attacks, and will likely expand its use in the future, this incident does not appear to be one of them.