A group of professional hackers broke into the system of Europcar, one of the world's largest car rental companies, in December 2023. They stole personal data of more than 50 million customers, including name, address, phone number, email, credit card number and rental history. However, this data may not be real, but created by an artificial intelligence tool called ChatGPT.
ChatGPT is a chatbot that uses artificial intelligence to talk and do things like humans. It can create articles, type simple code commands and more. ChatGPT is programmed to reject requests to create illegal content, such as writing malware or phishing emails. But hackers exploited a loophole to bypass these constraints and used ChatGPT to create fake data.
According to a report by security firm Check Point Research, hackers used the application programming interface (API) for one of OpenAI's GPT-3 models called text-davinci-003, instead of ChatGPT. GPT-3 is a variant model designed specifically for chatbot applications. OpenAI provides GPT-3 API and other model APIs for developers to integrate AI bots into their applications. But these API versions do not have protection measures for malicious content.
Hackers used GPT-3 API to request ChatGPT to create fake data for Europcar customer profiles. They gave ChatGPT some basic information, such as country, gender, age and type of car rental, and asked ChatGPT to create other information, such as name, address, credit card number and rental history. ChatGPT used its artificial intelligence to create information that seemed reasonable and realistic, but in fact was completely false.
They stored this fake data on a secret server and threatened to reveal it if they did not receive a ransom from Europcar. But Europcar did not agree and reported the incident to the authorities. Investigators discovered that the data stolen was fake and identified the origin of the hackers. Hackers were arrested and admitted that they used ChatGPT to create fake data.
This incident raised concerns about the level of danger of ChatGPT and other artificial intelligence tools. Many experts warned that ChatGPT could be used to create malicious content, such as phishing emails, malware, fake news, offensive comments and more. They also called on OpenAI and other developers to enhance security and anti-abuse measures for GPT-3 API and other model APIs.
Meanwhile, Europcar announced that customer data was not affected by the attack and encouraged customers to check their credit card transactions. Europcar also apologized for the inconvenience and promised to improve its security system.