No honour among thieves as ChatGPT used to create fake leak of 50 million Europcar customer records


Massive customer data loss is never nice. So, imagine the sinking feeling at multinational car rental outfit Europcar when fully 50 million customer records including everything from passwords and passport numbers to payment details, driver licence numbers, home addresses and emails were offered for sale on a hacker forum.

So, that's pretty much everything a bad actor would need to have a decent crack at identity theft, among various other nefarious activities.

Except, Europcar had a look at the data and concluded it was "completely incorrect, the sample data was probably generated by ChatGPT." Europcar apparently got the heads up when the "leak" was highlighted in an X post by HackManac, a repository of known cyber attacks.

Responding to HackManac's post, Europcar explained why the data was fake. The addresses listed do not exist, ZIP codes listed do not match the US states in given addresses, and first and last names did not match email addresses, among other flaws suggesting the data was not genuine. "Most importantly," Europcar revealed, "none of the email addresses are in our database." Boom.

As a consequence, HackManac has revised the status of the data breach. "We have marked this claim as false and removed it from our repository while we continue to investigate."

Your next machine

Gaming PC group shot
Gaming PC group shot

Best gaming PC: The top pre-built machines.
Best gaming laptop: Great devices for mobile gaming.

One aspect that isn't entirely clear is the basis on which Europcar decided that the data was "probably" generated by ChatGPT. Perhaps it's just the most plausible method for quickly and efficiently generating 50 million plausible looking but fake customer profiles.

One X poster has commented that at least some of the emails are thought to be real and apparently appear in other leaked databases. So, it could be a case of using an older leak of email address and pushing it through ChatGPT to add details like physical addresses and passport details, then attempting to flog the output to the highest bidder.

Of course, this does all rather serve as a reminder of the sensitive customer data that outfits like Europcar very probably do retain. Oh, and the fact that there really is no honour among thieves.