HQ/EMEAFind out how we can help your business
Hertz Corporation, a major car rental company, has alerted the public about a data breach incident that involved customer data from its Hertz, Thrifty, and Dollar brands. Reports revealed that the alleged stolen data is part of the widespread Cleo zero-day exploits last year.
According to its breach notification, on February 10, 2025, Hertz confirmed that an unauthorised third party had acquired its data by exploiting zero-day vulnerabilities in Cleo’s platform in October and December 2024.
The company promptly began reviewing the data to determine the scope of the breach and enumerate those whose personal information may have been affected.
The details of the compromised data vary by individual, potentially including names, contact details, dates of birth, credit card numbers, driver’s license information, and details related to workers’ compensation claims.
Furthermore, the car rental company noted that many individuals might have had their Social Security numbers or government IDs stolen.
According to investigations, an even smaller subset may have experienced a compromise of their Social Security or government identification numbers, passport information, Medicare or Medicaid ID, and injury-related data from vehicle accident claims.
The number of individuals potentially affected by the Hertz data breach incident reached over 3,000.
Although Hertz has not disclosed the total number of affected customers, Maine’s Attorney General’s Office has indicated that about 3,400 residents are receiving notifications.
Notifications were also sent to residents in California and Vermont, though those states did not report affected numbers.
In response, Hertz provides customers with two years of complimentary identity monitoring services and recommends that impacted individuals remain vigilant against potential fraud.
While the car rental company stated that they have yet to identify any misuse of personal information for fraudulent purposes, it is worth noting that the Clop ransomware gang had previously leaked company data on their extortion site.
In October last year, Clop took advantage of a zero-day flaw in Cleo’s managed file transfer platforms: Cleo Harmony, VLTrader, and LexiCom.
Clop later claimed responsibility for the breach, asserting that data from 66 companies had been stolen. Other firms that confirmed or are investigating breaches related to the Cleo data theft attacks include Western Alliance Bank, WK Kellogg Co., and Sam’s Club.
