ClickRent would have suffered a data leak that would affect 2.5 million clients, with exposure of identity documentation, personal information, financial data, and internal company files. The incident would have occurred this past weekend and authorship is attributed to the threat actor Jenk, who claims to have obtained full access to the company's infrastructure.
The intrusion became known after the alleged attacker put up for sale the database and the stolen files after, according to him, two weeks of failed negotiations. The stolen information would exceed 200 GB, an especially sensitive part due to the type of compromised documents and the volume of allegedly affected clients.
Identity documentation and personal data exposed
Among the stolen files would be included more than 100 GB of identity documentation. In that batch there would be passports, DNIs, driving licenses, PDF documents and selfies used in identity verification processes.
The breach would also include names, physical addresses, dates of birth, email addresses, phone numbers, and even passwords. To this would be added card numbers, partial or complete, in addition to booking histories with details about vehicles, locations and dates, along with transaction tokens.
Alongside customer information, the attack would also have reached corporate data of ClickRent, such as employee information, internal company files and financial documentation.
Sale of the archives after failed negotiations
The threat actor who claims responsibility for the attack states to have gained complete access to the company's infrastructure. Afterwards, always according to their version, they maintained a two-week negotiation process that ended without agreement. After that point, they decided to put the database and the rest of the stolen files up for sale.
In his publication, the attacker himself warns of the seriousness of the incident and points to a possible intervention by the Spanish Data Protection Agency. For now, the exact scope of the breach and the definitive number of affected parties remain under evaluation.
A new blow to the renting sector
The leak is framed within a recent chain of incidents affecting the vehicle rental sector. Just a few days ago, another breach came to light at Centauro Rent a Car, where 4.3 million records were compromised.
In that case, full names, email addresses, phone numbers, dates of birth, full physical addresses, driver's license data, tax identification numbers, gender, preferred language, and account statements and reservations were exposed. These episodes are also added to others that affected Hertz and Avis, while in Europcar the alleged incident ended up being considered a false leak.
A company with presence throughout the country
ClickRent is a Spanish company founded in 2011 and with its main headquarters in Palma de Mallorca. It operates in the rental of cars, vans, motorcycles, and other vehicles, and has more than 30 offices in airports, train stations, and cities across the country.
The possible massive exposure of identification documentation, reservation histories, and financial data once again places the focus on the security of the sector's platforms. While the real scope of the attack is clarified, the case leaves in the air the situation of millions of users whose data would have been compromised.