French car rental company Europcar made headlines earlier this week following reports of an alleged data breach affecting nearly 50 million customers.
Cyber security platform HackManac reported the incident on January 30th, noting that the stolen database containing usernames, passwords, full names, addresses, and several other user-identifying information had been listed for sale on a hacking forum.
Europcar Denies Data Breach
As the news started making rounds, Europcar issued a statement refuting that the data breach ever occurred. A spokesperson for the company claimed that stolen data were generated using AI, as the records contained in the stolen database were inconsistent with theirs.
“The number of records is completely wrong & and inconsistent with ours. The sample data is likely ChatGPT-generated (addresses don’t exist, ZIP codes don’t match, first name and last name don’t match email addresses, email addresses use very unusual TLDs),” the spokesperson said.
The popular opinion regarding the incident has been that AI is the enabler of fakery, with Europcar and some experts stating that “the use of AI in cyberattacks is becoming more commonplace – we, as defenders, should expect more AI-powered cyber-attacks in the near future.”
Experts Argue the Data Wasn’t Fabricated Using AI
However, some other experts disagree that the alleged data breach was perpetrated using AI.
The creator of the Have I Been Pwned platform, Tron Hunt, posted an X thread on January 31st, noting that while the legitimacy of the data doesn’t add up and may have been fabricated, it wasn’t generated using AI.
“13 years ago now I wrote about generated dummy data for testing purposes. THIS WASN’T “AI”!!! Just a big old DB of passable looking values, that is all,” Hunt wrote. “And many of the email addresses weren’t generated at all so that *definitely* wasn’t AI. I don’t know why they sat in there next to dummy data, but I know it wasn’t the outcome of some super-sophisticated LLM.”
Hunt argues that the perpetrators may have used data generators other than AI to fabricate the database posed as Europcar’s. He quoted another analytic platform, KasadalQ, which suggested that “Python Faker” may have been used to generate the data.
“We can very verify this data, provided in the screenshots, was not created by AI with about 5 minutes of effort,” KasadalQ noted.