Europcar Rebuffs Hacked Data as AI Generated

Global car rental company Europcar refuted data leak claims, stating that the advertised personal information of nearly 50 million customers is fake.

On January 28, a user of a popular hacking forum claimed to be selling information for 48,606,700 Europcar customers. The post included a sample of alleged stolen data, including names, complete address, birth and passport details, driver’s license number, and other information.

After a threat intelligence service notified it about the breach, Europcar verified the data. The company dismissed it as false, stating that it was probably generated using generative AI tools like ChatGPT.

The company went on to say:

– ‘’the number of records is completely wrong & inconsistent with ours,

– the sample data is likely ChatGPT-generated (addresses don’t exist, ZIP codes don’t match, first name and last name don’t match email addresses, email addresses use very unusual TLDs),

– and most importantly: none of these email addresses are present in our database.”

However, Troy Hunt of Have I Been Pwned does not believe that the data was generated using artificial intelligence, despite much of it being false.

According to him, there is a mismatch between the listed individuals’ names and corresponding email addresses and usernames. Moreover, some of the addresses are non-existent. ‘’But many of the physical addresses *are* fake – they just don’t exist. They’re generated,’’ Hunt wrote on X (previously Twitter).

Nevertheless, he pointed out that not all email addresses were false, some emails in the datasets were real. They appeared in previous breaches, monitored by the site, Have I Been Pwned.

While one cannot rule out the use of generative-AI in cyber-attacks and online scams, this data leak incident is not a result of this.

‘’We’ve had fabricated breaches since forever because people want airtime or to make a name for themselves or maybe a quick buck. Who knows, it doesn’t matter, because none of that makes it “AI” and seeking out headlines or sending spam pitches on that basis is just plain dumb,’’ Hunt explained.