Car rental giant Avis said the personal information and driver's license numbers of hundreds of thousands of people were stolen in a cyberattack in August.
In data breach notification letters filed with several U.S. attorneys general over the past week, the New Jersey-based company said it discovered an intruder in one of its business applications on Aug. 5 and worked to stop the unauthorized access that began two days earlier.
Avis has not disclosed the nature of the cyberattack, and details of the incident are unclear. An Avis spokesman did not respond to an email seeking comment about the cyberattack.
In a data breach notification filed with the Iowa Attorney General over the weekend, the rental car company said the stolen information included customers' names, mailing addresses, email addresses, phone numbers, birth dates, credit card numbers and expiration dates, and driver's license numbers. It remains unclear why Avis would have stored this sensitive customer information in a way that would have exposed it.
A document filed with the Maine Attorney General on Monday revealed that the Avis data breach has affected a total of 299,006 individuals so far. Texas has the most affected state residents, at 34,592, according to a separate document filed with the Texas Attorney General.
Additional data breach notices are expected to be filed with the remaining attorneys general in the coming weeks, and it remains to be seen whether the number of individuals affected by the Avis data breach will grow.
Avis, which owns the Budget Rent-A-Car and Zipcar car-sharing brands, has more than 10,000 rental locations in 180 countries, according to the company's most recent full-year financial results, released in February. Avis is on track to generate revenue of $12 billion in 2023, and its CEO, Joe Ferraro, reported total compensation of $10.2 million for the year.
It's not clear who oversees cybersecurity at Avis.