Car rental company Sixt confirmed on 1 May that it had detected IT irregularities on 29 April and had been subject to a cyber-attack.
On confirming the attack, Sixt, which has more than 2,000 locations across 110 countries, said it was able to contain it at an early stage.
The type of attack has not been made public and it is unclear if customer or employee data was lost or stolen.
“As a standard precautionary measure, access to IT systems was immediately restricted and the pre-planned recovery processes were initiated,” Sixt said in a statement.
“Many central Sixt systems, in particular the website and apps, were kept up and running. Thereby, impacts on the company, its operations and services have been minimized to provide business continuity for customers. However, temporary disruptions, in particular in customer care centers and selective branches, are likely to occur in the short term,” the company said.
An investigation of the incident is to be carried out by both internal and external cyber-security experts.
Disruption to services
The incident appears to have caused business disruption as German media outlet n-tv.de reported on 2 May that car bookings were being carried out on paper and the company’s hotlines could not be reached.
Twitter users have expressed issues with reservations, contacting customer services and cancelling reservations.
One customer shared an email they received from firstname.lastname@example.org which said it was not possible for the company to make or check reservations and rental agreements until at least the 13 May. The email goes on to explain there has been a system failure in the whole of Sixt Europe.
The email was dated 4 May 2022.
While the cause of the attack has not been disclosed, one cyber-security expert commented that the company has shown vulnerabilities in their Domain Name System (DNS) which is exposed and insecure.
Andy Jenkinson, group CEO at CIP, also highlighted the presence of a ‘Not Secure’ Sixt website which has now been pulled offline.
The weakness, which can be exploited by cyber criminals, lies where content in the form of websites and emails meet the internet. This data is not being encrypted, leaving it vulnerable to criminal exploitation. Jenkinson told CS Hub a lack of understanding around DNS and organization’s content distribution means they are vulnerable to both DDoS and man-in-the-middle attacks.
The issue of DNS being insecure is not new and not unique, Jenkinson explained. For Sixt it is made more complicated as there are over 110 branches, some of which are franchise, all with their own internet facing content.
For companies to be protected against DNS vulnerabilities Jenkinson quipped that ideally an organization would “unplug everything” connected to the internet, “but that’s not going to happen” he added.
Instead, he emphasized that companies must “make sure [they] have security where you connect to the internet, this includes both websites and emails”.
Jenkinson predicted the Sixt incident will cost the organization millions of dollars.
In the 2021 financial year Sixt said it achieved group sales of €2.28bn ($2.4bn) despite the travel disruption caused by the Covid-19 pandemic.