A threat actor claims to have obtained 4.3 million user records from Centauro Rent a Car, the Spanish car rental company with a presence in several European countries. The alleged leak has been disseminated on the dark web, where the person responsible for announcing it claims to have extracted the information last week and has published a sample to try to prove the scope of the incident.
Among the allegedly compromised data are full names, email addresses, phone numbers, dates of birth, full physical addresses, driver's license details, tax identification numbers, gender, preferred language, and account statements and reservations. The actor claiming responsibility for the intrusion also maintains that the information was stored in JSON format.
A sensitive database linked to clients of the company
If the authenticity of the leak is confirmed, the scope would be relevant due to the quantity and type of information exposed. The combination of personal, tax, and data linked to reservations and driver's licenses would place this case among the most impactful incidents known in the vehicle rental sector.
Centauro Rent a Car was founded in the 70s in the Valencian Community and maintains international activity in Portugal, Italy and Greece. The company operates in a particularly sensitive sector due to the volume of identification documentation that rental and holiday rental companies handle.
"From Escudo Digital we have contacted the company to clarify what happened and we will update more information if we receive a response." - Escudo Digital
A sector under pressure due to security breaches
The case is part of a series of recent incidents that have affected companies in the same sector. Last year, Hertz suffered a breach that affected customers in Europe, the United States, Australia, and Canada. In that episode, attackers exploited vulnerabilities in an external provider to access data such as names, driver's licenses, and payment card numbers. The criminal group CL0P was identified as responsible.
Avis also registered in 2024 an unauthorized access to internal systems that compromised data of almost 300,000 clients. In that incident, data such as driver's licenses and dates of birth were exposed. Afterwards, the company offered identity monitoring services and announced a reinforcement of its security measures.
Not all recent episodes have ended up being confirmed. In the case of Europcar, the alleged data leak of millions of users turned out to be false and generated by artificial intelligence. Even so, the sector remains under surveillance. The shared mobility platform Zoomcar has also suffered unauthorized accesses that compromised data of millions of users.
For now, there is no public confirmation from the company regarding the authenticity of the disseminated data. As long as there is no official verification, the case remains under the usual caution in this type of announcements, although the publication of a sample and the volume attributed to the breach once again put the focus on the security of the information handled by vehicle rental companies.