Scooby Doo hacker behind 50 million customer Europcar “breach”

Massive data breaches have, sadly, become so commonplace that when reports of a global car rental company have allegedly been compromised and information concerning 50 million customers is up for sale on the dark web, it’s taken at face value. But what if the face in question was a mask, Scooby Doo style? What if that data breach was not only a hoax but one powered by AI?

They might have gotten away with it if it wasn’t for those pesky security researchers…

News appeared overnight on X (formerly known as Twitter) detailing an alleged major data breach involving Europcar. The tweet was published in good faith by a long-established account that manages a database of publicly known cyber attacks.

It reported that a total of 48,606,700 Europcar customer records had appeared for sale on a dark web hacking forum. Records, according to the hacking forum posting, include login credentials, passport numbers, driving licence details, bank account information and more.

That for-sale posting was made by a cyber criminal with the alias of “lean”. However, it appeared that lean is a very new account only registered on January 11 and with just a handful of posts.

In and of itself this is a red flag when they jump right in with such a big data breach haul. A red flag that started blowing around like crazy after Bleeping Computer contacted Europcar which told them there had been no breach.

Of course, compromised organisations denying compromise is nothing new either. However, it would appear that none of the claimed customer emails are in the Europcar customer database, and both names and addresses are also fake.

Reaction to Europcar breach

Huseyin Can Yuceel, a Security Researcher at Picus Security, says that “the Europcar security incident unfolded like a classic Scooby Doo unmasking. In the space of a couple of hours, the infosec community went from analysing the impact of one of the biggest data breaches of all time to exposing an AI-powered hoax.”

Yuceel says that the incident looks more like a social engineering attack than anything.

“In social engineering attacks, it’s common for adversaries to manipulate their victims into sharing confidential information or executing malware to compromise the target system. In this case, it seems as though attackers tried to create panic and pressure their target into paying ransom for a false claim that they stole sensitive customer data. Like a villain dressing as a ghost to convince people that the local theme park is haunted.”

Organisations should take note, Yuceel concludes, as “the use of AI in cyberattacks is becoming more commonplace – we, as defenders, should expect more AI-powered cyber-attacks in the near future.”

Europcar response to a breach

A Europcar spokesperson provided the following statement:

“After being notified by a threat intel service that an account pretends to sell Europcar data on the dark net and thoroughly checking the data contained in the sample, the company is confident that this advertisement is false:

• The number of records is completely wrong & and inconsistent with ours,
• The sample data is likely ChatGPT-generated (addresses don’t exist, ZIP codes don’t match, first name and last name don’t match email addresses, email addresses use very unusual TLDs),
• And most importantly, none of these email addresses are present in our customer database.”

Worth a read

• Fintech 2024 shows green shoots with backing from Alphabet and Uber
• Canva targets professional designers with Affinity acquisition
• How genius coworker Salesforce Einstein Copilot AI can help your business
• Bruno Luis, Head of Marketing at Bloq.it: “The sooner you move into this new age, of marketing and design-focused tools, the better and happier your team will be”