Europcar has said that a data breach affecting millions of its customers is fake.
A threat actor was discovered selling a database on a well-known underground forum which they claimed holds the records of close to 50 million customers of the car rental firm. The sample they shared shows apparent names, addresses, license numbers, and bank details among the information.
However, after BleepingComputer contacted Europcar, the firm claimed the breach is not real, adding the data was likely spoofed using AI tools such as ChatGPT.
AI generated?
Europcar says it arrived at this suspicion as the, "addresses don't exist, ZIP codes don't match, first name and last name don't match email addresses, email addresses use very unusual TLDs."
What's more, the company also stated that "none of these email addresses are present in our database."
There are mismatches between usernames and emails, and some addresses have been made up, such as "Lake Alyssaberg, DC" and "West Paulburgh, PA." Also, addresses and phone numbers pertain to regions in the US, while many of the corresponding email addresses are foreign.
HaveIBeenPwned creator Troy Hunt chimed in on X, tweeting that while he believes the data is fake, it isn't necessarily AI-generated, pointing out that some of the email addresses contained in the dataset are real - they've just appeared in previous, unrelated data breaches monitored by the site.
He also said that "we've had fabricated breaches since forever," not just since the AI boom we're experiencing right now. There are also various services that can easily create fake datasets that look convincing on the surface, for the purposes of creating XML documents and anonymizing data, among others.