299,066 Americans Gave Avis Their Driver’s Licenses—Hackers Had All Of Them In 96 Hours

Between August 3 and August 6, 2024, hackers cracked a single Avis business application and walked out with the complete identity profiles of 299,006 customers. Names, driver’s license numbers, credit card details, dates of birth, and addresses. Everything a person hands over at a rental counter to drive off the lot. Four days. One application. Nearly 300,000 people were exposed. Avis agreed to a $3.08 million settlement. That number sounds large until you do the math on who actually gets paid. The math is brutal.

A Surgical Strike, Not a Random Hit

Most major data breaches involve weeks or months of undetected access. This one took 96 hours. That speed points to something uncomfortable: whoever broke in already knew the layout. One business application, targeted with precision, drained nearly 300,000 complete identity kits. Avis has never publicly disclosed which application was compromised or whether the vulnerability has been patched. Texas alone accounted for 34,592 victims, roughly 11.6% of the total. The breach was reported to the California Attorney General. The company denies wrongdoing.

Your Identity, Priced at $10.30

Divide the $3.08 million settlement by 299,006 victims. That’s $10.30 per person. Before attorneys take their cut. The total settlement fund is $1,025,000, from which up to $341,632.50 in attorney fees, $30,000 in expenses, and administrative costs will be deducted before any payments reach claimants. Settlement notices advertise “up to $5,000” for documented losses. Historical data breach claim rates run 5-10%. At a 10% filing rate, each claimant collects roughly $22. The gap between the headline promise and the actual check is about 263 to 1.

The Rental Counter as Identity Vault

Every car rental transaction creates a complete identity theft kit. Driver’s license. Credit card number and expiration. Date of birth. Phone number. Address. Customers hand all of it over voluntarily because the rental process requires it. Avis, Hertz, Enterprise, Budget, National: every major rental company collects and centralizes this data. The Avis breach exposed what the entire industry quietly depends on: databases packed with everything a criminal needs, stored behind security that failed in four days. Competitors now face the same scrutiny and the same litigation risk.

Cyber Insurance Just Got Expensive

The Avis breach landed during a wave of major automotive industry cyber attacks in 2024 and 2025. That pattern changes the insurance math for every rental company in America. Cyber liability underwriting for the car rental sector will reprice upward, and those costs flow downstream to rental rates. Avis’s $3.08 million settlement now establishes a baseline: roughly $10 to $15 per victim for future car rental data breaches. One breach. One price anchor. Every competitor’s legal team just recalculated its exposure.

The Machine Behind the Settlement

Class action settlements operate as debt-cancellation tools, not compensation mechanisms. Attorneys extract 33.3% of the net fund. Administrators take their cut. The advertised “$5,000 claim” maximizes class size for jurisdictional purposes, then pro rata math reduces actual payouts to pennies. Roughly 95-97% of personal injury cases settle before trial. Avis calculated that writing a $3.08 million check cost less than facing a jury. Breach happens. The settlement fund absorbs the liability. Attorneys profit. The company denies wrongdoing. Victims file paperwork for $22. Same mechanism. Every single time.

“Denies the Allegations”

“Avis denies the allegations but agreed to settle to avoid the expense and risk of further litigation and a possible trial.” Read that twice. A company whose single application hemorrhaged 299,006 identity profiles in 96 hours denies it failed to protect customer data. Then writes a $3.08 million check. Companies don’t spend that kind of money defending allegations they believe are baseless. The denial is a legal boilerplate designed to prevent the settlement from being used as an admission in future cases. The check tells the real story.

A Pattern, Not an Accident

Pennsylvania courts awarded $3 million in punitive damages against Avis in a separate 2025 case for renting a vehicle to a driver with a suspended license who caused a fatal crash. Negligent verification of the very documents Avis collects. A prior 2016-2023 class action settlement covered improper GSO and RSP fee charges at Payless Car Rental. Three major legal actions in a decade, each rooted in procedural failure. The data breach settlement contains no punitive damages. Courts have shown willingness to punish Avis, but plaintiffs in this case chose settlement speed over that lever.

Who Wins, Who Loses, What to Know

Winners: plaintiff attorneys collecting up to $341,632.50. Avis, which extinguishes litigation rights for $10.30 per victim. Losers: the estimated 269,105 victims who will never file a claim and receive nothing. The free Equifax credit monitoring covers one year. Identity theft consequences last far longer. The claim deadline is June 21, 2026. The exclusion deadline is May 22, 2026. The case is No. 2:24-cv-09243 in the U.S. District Court for the District of New Jersey. Filing is the only move that preserves any compensation rights.

The Cascade Keeps Breaking

Payments won’t arrive until late 2026 at the earliest, over two years after the breach. Unclaimed funds will likely revert to Avis or flow to privacy nonprofits, not victims. State attorneys general may investigate whether the settlement is adequate. Victim advocacy groups are pushing to extend the deadline and challenge pro rata fairness. Meanwhile, every rental company in America still collects the same identity documents, stores them in the same kinds of databases, and hopes the next 96-hour breach hits somebody else. The system that created this vulnerability hasn’t changed. The next breach is a matter of when.

Sources:
“Car Rental Giant Avis Data Breach Impacts Over 299,000 Customers.” BleepingComputer, 9 Sep. 2024.
“In re: Avis Rent A Car System, LLC Security Incident Litigation.” Avis Data Security Settlement, 2026.
“Victim Recovery Law Center Secures $3M Punitive Verdict Against Avis in Fatal Crash Case.” Victim Recovery Law Center, 16 Oct. 2025.
“Payless Car Rental Class Action Says Customers Charged for Add-Ons.” Top Class Actions, 27 Sep. 2016.