If you rented a car from Avis last summer, your driver’s license number and credit card information may have been stolen by hackers. Now, affected customers can file claims for up to $5,000 in compensation through a settlement tied to the breach. The catch: the deadline to submit a claim is June 21, 2025, and it is approaching fast.
The breach itself lasted only three days, from August 3 through August 6, 2024, but it swept up a massive amount of sensitive customer data during one of the busiest travel periods of the year. State regulators in both California and Massachusetts have published official notifications confirming the incident, and a class action lawsuit has been filed against Avis over the exposure.
What happened during the Avis breach
According to the breach notification sample filed with California’s Attorney General, an unauthorized party accessed Avis’s business systems over a three-day window starting August 3, 2024. The company discovered the intrusion and reported it to state regulators in early September. Massachusetts received formal notification on September 5, 2024, roughly a month after the breach began.
That 30-day gap matters. During peak summer travel season, potentially hundreds of thousands of customers had no idea their personal information had been compromised. Attackers who obtained card numbers or license data during that window had weeks to attempt fraudulent charges, open new accounts, or commit identity theft before anyone was warned.
Massachusetts’s 2024 annual breach report specifies two categories of data exposed for its residents: driver’s license numbers and credit or debit card numbers. Those are not low-risk data points like email addresses. They are the exact pieces of information criminals use to drain bank accounts and forge identities.
How many people were affected
Court filings and reporting tied to the subsequent lawsuit reference approximately 300,000 affected consumers nationwide. That figure originates from the litigation rather than from a single regulator’s final tally, so the actual number could shift as the case progresses. However, the scale is consistent with what state-level filings suggest: Avis is a major rental company processing millions of transactions per year, and a three-day breach during August would have captured a significant volume of customer records.
Avis has not published a company-wide total in the state regulatory filings available from California and Massachusetts. The company did send individual notification letters to affected customers, and those letters remain the most reliable way for any specific person to confirm whether their data was part of the breach.
What the $5,000 compensation covers
The up-to-$5,000 figure is associated with the settlement and claims process that followed the breach and related litigation. It is important to note that the specific payout cap, eligibility rules, and reimbursement categories do not appear in the regulatory filings posted by California or Massachusetts. Those state records confirm the breach itself but do not contain settlement terms.
That means affected consumers should not rely solely on news summaries to understand what they can claim. Instead, anyone who received a breach notification letter from Avis should review that letter carefully. It should identify the claims administrator, outline what expenses are eligible for reimbursement (such as costs related to fraud, credit monitoring, or time spent resolving identity theft), and provide instructions for filing.
If you received a notice but have misplaced it, contact Avis directly or check with the claims administrator referenced in the settlement. Do not wait until the last minute: the June 21 deadline leaves little room for delays in processing or mailing.
What Avis has and hasn’t said publicly
Avis’s public response has been limited to what state law requires. The company filed the mandatory breach notifications and sent letters to affected individuals, but no detailed public statement from Avis executives about the root cause, the specific vulnerability exploited, or the full scope of remediation efforts appears in the state filings from California and Massachusetts.
It is also unclear from those filings alone whether Avis offered complimentary credit monitoring to all affected customers, which has become standard practice after large-scale breaches. Consumers who received a notification letter should check whether such an offer was included and, if so, enroll promptly. Free credit monitoring does not prevent fraud, but it can alert you to suspicious activity on your accounts far sooner than you would catch it on your own.
Steps to take before the June 21 claims deadline
If you rented from Avis between August 3 and August 6, 2024, or if you received a breach notification letter at any point afterward, here is what you should do now:
- Locate your breach notice. Check your mail and email for a letter from Avis or its claims administrator. This is your primary document for filing a claim.
- Verify the notice is legitimate. Cross-check the dates (August 3 through August 6, 2024) and any contact information against the official filings on the California Attorney General’s website.
- File your claim before June 21. Follow the instructions in your notice to submit documentation of any losses, out-of-pocket expenses, or time spent dealing with fraud tied to the breach. Keep copies of everything you send.
- Monitor your credit reports. Request free reports from AnnualCreditReport.com and review them for unfamiliar accounts or inquiries. You are entitled to free weekly reports from all three major bureaus.
- Watch your card statements. The breach exposed credit and debit card numbers. Review recent and upcoming statements line by line, and report any unauthorized charges to your bank immediately.
- Consider a credit freeze. A freeze prevents new accounts from being opened in your name and is free to place and lift at each of the three major credit bureaus (Equifax, Experian, and TransUnion). Given that driver’s license numbers were exposed, this step is especially worth considering.
The types of data confirmed in this breach are not the kind that become less dangerous over time. Driver’s license numbers do not expire as quickly as credit cards, and they are widely used as identity verification. Even if you have not noticed fraud yet, the risk of misuse can persist for years. Filing a claim before the deadline and locking down your credit now are the two most concrete steps you can take to protect yourself.
