Europcar Mobility Group, a major international car rental company, has experienced a data breach potentially impacting up to 200,000 customers. The breach involved compromised GitLab repositories, highlighting the vulnerability of cloud-based infrastructure and the importance of robust data security measures for large enterprises.
The Breach and its Scope
A threat actor, claiming the name “Europcar,” announced the breach last month, stating they had obtained all of the company’s GitLab repositories. This included cloud infrastructure, internal applications, mobile apps (iOS and Android), website backups, and numerous sensitive files containing personal data. The actor claimed to have acquired “more than 37GB of data, including 645,041 files and 183,476 folders.” They also posted screenshots of source code containing credentials as proof.
Europcar confirmed the breach but disputed the claim that all GitLab repositories were compromised. The company stated that some network areas remained unaffected.
Data Exposed and Europcar’s Response
The compromised data reportedly includes names and email addresses of Ubeeqo and Goldcar users—sister companies under Green Mobility Holding. Crucially, Europcar confirmed that no passwords, bank details, or credit card information were exposed. The number of affected customers is estimated to be between 50,000 and 200,000, some dating back to 2017-2020.
Europcar is actively notifying affected customers.
A Previous Alleged Breach and its Disputation
This incident follows a similar claim in January 2024, where a threat actor alleged possession of data from 48,606,700 Europcar users. This claim included highly sensitive information like full names, addresses, passport and driver’s license details, and bank information. However, Europcar deemed this earlier claim false, asserting that the data was AI-generated and did not match their records. Troy Hunt of HaveIBeenPwned, while acknowledging inconsistencies in the hacker’s data, noted that some email addresses were real, appearing in other breaches. Hunt stated: “We’ve had fabricated breaches since forever because people want airtime or to make a name for themselves or maybe a quick buck…Who knows, it doesn’t matter, because none of that makes it ‘AI’ and seeking out headlines or sending spam pitches on that basis is just plain dumb.”
