In a significant security incident, multinational car-rental company Europcar Mobility Group reported a data breach that has exposed personal information of up to 200,000 customers. The breach involved unauthorized access to the company’s GitLab repositories, where source code for its Android and iOS applications, as well as sensitive personal information, was stolen.
The breach, announced by the threat actor in late March, revealed that they had successfully acquired over 37GB of data including SQL backups and confidential configurations. The hacker has made demands for extortion, threatening to release the sensitive data unless their demands are met. The data includes more than 9,000 SQL files containing personal information, as well as 269 configuration files.
Europcar Mobility Group, a subsidiary of Green Mobility Holding, operates multiple brands including Europcar, Goldcar, and Ubeeqo. The company serves a large customer base across 140 countries. Following the breach, Europcar is currently assessing the full extent of the damage and is in the process of notifying affected customers.
Despite the threat actor’s claims, it has been confirmed that not all source code was compromised, with some components remaining untouched. Importantly, more sensitive information such as bank account details or passwords has not been found among the stolen data. The company has also informed the relevant data protection authority about the breach.
The method of how the threat actor accessed Europcar’s GitLab repositories remains under investigation. Past incidents have shown that many breaches are facilitated by stolen credentials due to infostealer compromises. Europcar previously faced a fake breach in which an individual falsely claimed to possess data of nearly 50 million users.