Centauro.net, one of Spain's largest vehicle rental companies, has suffered a significant data breach exposing approximately 4.3 million customer records. The stolen database — extracted last week and now being actively advertised for sale on cybercrime forums — contains a high-sensitivity mix of identity, financial, and travel data. The combination of driver's license numbers, Tax Identification Numbers, and physical addresses in a single exfiltrated dataset makes this one of the more dangerous consumer data exposures reported in Europe this quarter.

What Happened

A threat actor advertised the Centauro.net database for sale on dark web forums in late March 2026, claiming the data was extracted the prior week. The database is formatted in JSON and contains structured customer records spanning the company's full customer base. Centauro.net has not issued a public statement at time of writing, but the specificity and structure of the leaked data — including internal account and booking status fields — is consistent with direct database access rather than a scraping operation. The breach has been reported by dark web intelligence monitoring services tracking the sale listing.

What Was Taken

The exfiltrated dataset contains approximately 4.3 million customer records with the following fields confirmed:

• Full names — first and second surnames (Spanish naming convention)
• Email addresses
• Phone numbers
• Dates of birth
• Physical addresses — street, city, province, and postal code
• Driver's license details — license number, issuing country, expiration date
• Tax Identification Numbers (TIN/NIF) — Spain's national fiscal identifier
• Gender and preferred language
• Account and booking statuses

The inclusion of driver's license numbers alongside TINs and full physical addresses creates a complete identity package — sufficient for identity fraud, loan applications, SIM swapping, and targeted phishing. The booking and account status fields add behavioral intelligence useful for social engineering attacks.

Why It Matters

Vehicle rental companies are systematically underestimated as breach targets. They collect the same high-value identity data as financial institutions — government ID numbers, addresses, dates of birth — without typically operating under equivalent security scrutiny or regulatory pressure.

At 4.3 million records, this exposure covers a substantial portion of Centauro's customer base, which operates across Spain and other European markets. Spanish TINs (NIFs) are particularly dangerous in the wrong hands: they are used for tax filings, bank account verification, property transactions, and government services. Combined with a driver's license number and date of birth, an attacker has everything needed to impersonate a victim across multiple Spanish bureaucratic and financial systems.

The GDPR implications are significant. Spain's AEPD (Agencia Española de Protección de Datos) requires breach notification within 72 hours when personal data is compromised. If Centauro was aware of the exfiltration before the dark web listing appeared, the notification clock is already running — or has already expired.

The Attack Technique

The initial access vector has not been publicly disclosed. The structured, JSON-formatted nature of the exfiltrated data — including internal fields like account and booking status — strongly suggests direct database access rather than frontend scraping. Likely vectors include:

• SQL injection or API abuse targeting Centauro's booking platform
• Compromised database credentials obtained via phishing or credential stuffing against developer or admin accounts
• Exploitation of a misconfigured cloud storage bucket or database endpoint exposed without authentication

The rapid path from alleged extraction to dark web listing (within one week) suggests a financially motivated actor operating efficiently, not a long-dwell espionage operation.

What Organizations Should Do

1. Audit all database access logs for the past 30 days — Look for large sequential SELECT queries, unusual off-hours access, or connections from anomalous IP ranges. JSON bulk exports are a red flag pattern to specifically query for.

2. Rotate all database credentials and API keys immediately — If the breach vector was credential compromise, unchanged credentials remain active. Assume all service account passwords are burned until proven otherwise.

3. Review cloud storage and database endpoint exposure — Confirm no S3 buckets, Azure Blob containers, or database ports (MySQL 3306, PostgreSQL 5432) are publicly accessible. Run a surface scan using tools like Shodan or your cloud provider's security posture dashboards.

4. Implement data minimization and field-level encryption — Driver's license numbers and tax IDs should never sit in plaintext in an application database. Encrypt sensitive identifier fields at rest with application-layer keys separate from the database encryption key.

5. Verify GDPR breach notification timelines are met — If your organization processes EU customer data and has reason to believe a breach occurred, the 72-hour AEPD notification window is not optional. Document your discovery timeline now.

6. Alert affected customers proactively — Organizations holding this category of data (government IDs, driver's licenses) should notify customers with specific guidance: monitor credit, flag for identity fraud alerts, and be alert to phishing using their personal details.

Sources

• Daily Dark Web — Centauro Data Breach Exposes 4.3 Million User Records
• Hendry Adrian — Centauro Data Breach Exposes 4.3 Million User Records