Centauro Rent a Car data breach: what was exposed and what to do
A few days ago I received an email from Centauro Rent a Car stating they discovered “partial unauthorized access” to certain customer data via a web service on December 18 (their wording). If you’re a customer, you may have received the same notice.
What Centauro actually said
In their notice, Centauro says they detected unauthorized access on December 18 and that it happened “through the web service.” They claim the incident was “immediately remedied” and that they “strengthened access control security” afterwards.
Most importantly, they say the exposure was limited to customer data provided for registration/contracting, including (in some cases):
- Basic identity: first name, last name, date of birth, gender
- Contact details: email, postal address, phone number
- ID numbers: personal ID, driver’s license, tax ID, or passport and expiration date
They also state that no bank card data was exposed and that passwords remain secure (their claim), and that they notified relevant authorities including Data Protection Authorities.
Source: customer email sent by Centauro (copied below).
Important Information about personal data
At Centauro, we are committed to the security and privacy of our customers.
For this reason, we would like to inform you that on December 18 we became aware of a partial unauthorized access to certain customer data through the web service.
The incident was identified and immediately remedied, with access control security being strengthened to prevent similar situations from occurring in the future.
The incident did not involve the destruction or alteration of data and was limited to access to certain personal data that you may have provided to us for your registration or contracting with Centauro. These include, in some cases, basic identification details (first name, last name, date of birth, gender), contact details (email address, postal address, or telephone number), or identification numbers (personal ID, driver’s license, tax ID, or passport, and their expiration date). Centauro does not store documents.
No financial information or bank card data was exposed. Your access credentials and passwords remain secure.
As soon as we became aware of the incident, we activated our security protocols, sought specialized advice, and notified the competent authorities, including the Data Protection Authorities.
As a preventive measure, we are issuing this communication to minimize any potential consequences of fraudulent use or loss of data confidentiality. We recommend that you remain alert to any atypical or unusual activity that may be related to your personal data (e.g., suspicious communications through any channel; SMS, WhatsApp messages, or phone calls from senders you cannot clearly identify; links included in messages from untrustworthy sources; etc.).
Our Contact Centre is available to you at the email address personaldata@centauro.net and telephone number (+34) 965 640 403 for any additional questions. We apologize for any inconvenience this isolated incident may cause you.
We take this opportunity to thank you for your trust and to reaffirm our commitment to your security.
Kind regards.
What we don’t know (assume unknown until clarified)
- whether your specific record was accessed
- exactly how many people were affected
- how long the access lasted
- whether the data has been redistributed
Why “no financial data” doesn’t mean “low risk”
If ID numbers (passport / tax ID / driver’s license) were exposed, the risk shifts from card fraud (easy to mitigate) to identity-enabled fraud and highly convincing phishing.
Even without scans or images, the raw ID number + expiry date is enough for attackers to craft believable scams and to pass weak “identity checks” used by some services.
What you can do today quickly
These are quick, high-impact steps that don’t require special tools.
1) Don’t engage with follow-up messages
Assume scammers may use your details to craft convincing “refund”, “unpaid toll”, or “verification” messages.
- Don’t click links in SMS/WhatsApp/email about this incident.
- If you need to contact Centauro, navigate to their site manually or use the contact details from the original email.
2) Secure your Centauro account
If you have a Centauro account:
- Change your password now.
- Use a unique password you don’t use anywhere else.
3) Check for password reuse
If you ever reused the Centauro password elsewhere (even “slight variations”), change the reused ones first (email and banking are top priority).
4) Turn on basic message filtering
Do one small “anti-phishing” tweak:
- Enable spam filtering / “unknown sender” filtering in your email client.
- On your phone, enable “silence unknown callers” (or similar). This reduces the chances you’ll get caught by a convincing social-engineering attempt.
5) Ask Centauro what your record contained
Email their privacy contact and ask for specifics (keep it short):
- Was my record included in the accessed dataset?
- Which fields were accessed (passport / driver’s license / tax ID / address / phone)?
- What was the time window of access?
- What remediation steps do you recommend for affected customers?
You don’t need a legal threat. You need facts. If your ID number was among the exposed fields, that’s a different class of risk than card data.
Optional: quick broader exposure check (2 minutes)
HaveIBeenPwned can tell you whether your email appears in other known breaches. This incident may or may not show up there, but it’s a useful baseline.
If your passport / tax ID / driver’s license number was exposed (optional)
If Centauro confirms your ID number was among the accessed fields:
Save a copy of the notice and your correspondence (dates matter).
Be extra strict about identity verification requests (banks, telcos, “refunds”, delivery, tolls).
Check what your country’s issuing authority recommends for compromised documents/IDs and follow that process.
Updates
On January 29 I received a follow-up email from Centauro with more detail than the original notice. I hadn’t even asked, they sent it unprompted. Here’s what it adds.
On what was actually exposed
The original notice was vague about which fields were involved. The follow-up gets specific. The fields potentially in scope are:
- Customer code
- Identity: first name, surname, gender, date of birth, country of birth
- Contact: email, phone prefix, phone number
- Address: road name, number, block, letter, postal code, city, province, country
- Driver’s license: number, issuing authority, country, expedition date, expiration date
Worth noting: the full address breakdown and the driver’s license expedition date weren’t in the original notice. So the picture is wider than what they initially communicated.
On whether your data was actually taken
This is the question everyone wants answered, and Centauro is honest about the limits of what they know:
“We have no specific evidence of extraction or download of your data. The incident may only have resulted in partial unauthorized access to certain data, although we have no specific evidence of this.”
“No evidence of extraction” is not the same as “your data wasn’t taken.” It means their forensic analysis didn’t find proof of a download. That’s somewhat reassuring, but not a guarantee. Sophisticated access doesn’t always leave clear traces.
On dark web monitoring
This is the more useful signal. Centauro says they’ve been actively monitoring the places where stolen data typically gets published or sold:
“We have found no evidence that your data have been published, disseminated, or offered for sale in common marketplaces or exchange environments for this type of information on the dark web.”
Several weeks after the incident with no appearance in known leak environments is genuinely a better indicator than the absence of extraction evidence. Not conclusive, but it matters.
What this changes
Practically, nothing in the steps above changes. The recommendations still stand.
What the follow-up does add is a clearer picture of what was in scope. If you’re deciding whether to contact Centauro and ask about your specific record, the driver’s license fields are the ones worth asking about specifically, since those carry more risk than a name and email address.