Centauro Rent a Car data breach: what was exposed and what to do

A few days ago I received an email from Centauro Rent a Car stating they discovered “partial unauthorized access” to certain customer data via a web service on December 18 (their wording). If you’re a customer, you may have received the same notice.

What Centauro actually said

In their notice, Centauro says they detected unauthorized access on December 18 and that it happened “through the web service.” They claim the incident was “immediately remedied” and that they “strengthened access control security” afterwards.

Most importantly, they say the exposure was limited to customer data provided for registration/contracting, including (in some cases):

  • Basic identity: first name, last name, date of birth, gender
  • Contact details: email, postal address, phone number
  • ID numbers: personal ID, driver’s license, tax ID, or passport and expiration date

They also state that no bank card data was exposed and that passwords remain secure (their claim), and that they notified relevant authorities including Data Protection Authorities.

Source: customer email sent by Centauro (copied below).

Important Information about personal data

At Centauro, we are committed to the security and privacy of our customers.
For this reason, we would like to inform you that on December 18 we became aware of a partial unauthorized access to certain customer data through the web service.
The incident was identified and immediately remedied, with access control security being strengthened to prevent similar situations from occurring in the future.
The incident did not involve the destruction or alteration of data and was limited to access to certain personal data that you may have provided to us for your registration or contracting with Centauro. These include, in some cases, basic identification details (first name, last name, date of birth, gender), contact details (email address, postal address, or telephone number), or identification numbers (personal ID, driver’s license, tax ID, or passport, and their expiration date). Centauro does not store documents.
No financial information or bank card data was exposed. Your access credentials and passwords remain secure.
As soon as we became aware of the incident, we activated our security protocols, sought specialized advice, and notified the competent authorities, including the Data Protection Authorities.
As a preventive measure, we are issuing this communication to minimize any potential consequences of fraudulent use or loss of data confidentiality. We recommend that you remain alert to any atypical or unusual activity that may be related to your personal data (e.g., suspicious communications through any channel; SMS, WhatsApp messages, or phone calls from senders you cannot clearly identify; links included in messages from untrustworthy sources; etc.).
Our Contact Centre is available to you at the email address personaldata@centauro.net and telephone number (+34) 965 640 403​ for any additional questions. We apologize for any inconvenience this isolated incident may cause you.
We take this opportunity to thank you for your trust and to reaffirm our commitment to your security.

Kind regards.

What we don’t know (assume unknown until clarified)

  • whether your specific record was accessed
  • exactly how many people were affected
  • how long the access lasted
  • whether the data has been redistributed

Why “no financial data” doesn’t mean “low risk”

If ID numbers (passport / tax ID / driver’s license) were exposed, the risk shifts from card fraud (easy to mitigate) to identity-enabled fraud and highly convincing phishing.

Even without scans or images, the raw ID number + expiry date is enough for attackers to craft believable scams and to pass weak “identity checks” used by some services.

What you can do today very quickly

These are quick, high-impact steps that don’t require special tools.

1) Don’t engage with follow-up messages

Assume scammers may use your details to craft convincing “refund”, “unpaid toll”, or “verification” messages.

  • Don’t click links in SMS/WhatsApp/email about this incident.
  • If you need to contact Centauro, navigate to their site manually or use the contact details from the original email.

2) Secure your Centauro account

If you have a Centauro account:

  • Change your password now.
  • Use a unique password you don’t use anywhere else.

3) Check for password reuse

If you ever reused the Centauro password elsewhere (even “slight variations”), change the reused ones first (email and banking are top priority).

4) Turn on basic message filtering

Do one small “anti-phishing” tweak:

  • Enable spam filtering / “unknown sender” filtering in your email client.
  • On your phone, enable “silence unknown callers” (or similar). This reduces the chances you’ll get caught by a convincing social-engineering attempt.

5) Ask Centauro what your record contained

Email their privacy contact and ask for specifics (keep it short):

  • Was my record included in the accessed dataset?
  • Which fields were accessed (passport / driver’s license / tax ID / address / phone)?
  • What was the time window of access?
  • What remediation steps do you recommend for affected customers?

You don’t need a legal threat. You need facts. If your ID number was among the exposed fields, that’s a different class of risk than card data.

Optional: quick broader exposure check (2 minutes)

HaveIBeenPwned can tell you whether your email appears in other known breaches. This incident may or may not show up there, but it’s a useful baseline.

If your passport / tax ID / driver’s license number was exposed (optional)

If Centauro confirms your ID number was among the accessed fields:

  • Save a copy of the notice and your correspondence (dates matter).

  • Be extra strict about identity verification requests (banks, telcos, “refunds”, delivery, tolls).

  • Check what your country’s issuing authority recommends for compromised documents/IDs and follow that process.

Updates