Hertz Corporation has disclosed a major data breach involving the personal information of thousands of customers. The breach affects clients of its Hertz, Thrifty, and Dollar brands, stemming from a cyberattack on third-party vendor Cleo’s file transfer platform. This incident highlights ongoing risks tied to software vulnerabilities in vendor platforms used by enterprise organizations.
The breach was triggered by two zero-day vulnerabilities in Cleo’s widely-used file transfer service. These vulnerabilities, tracked as CVE-2024-50623 and CVE-2024-55956, were exploited in late 2024 by the notorious Cl0p ransomware group. The cybercriminal group used these flaws in October and December to infiltrate and extract data from Cleo’s systems, impacting a wide range of organizations, including Hertz.
Comparitech privacy advocate Paul Bischoff revealed in March that hundreds of companies may have been affected. The stolen data has since been appearing on Cl0p’s dark web leak site, raising concerns over further misuse.
What Personal Data Was Compromised?
In a notification issued last week, Hertz acknowledged that the Cleo hack led to the exposure of sensitive customer data. Although Cleo’s platform was only used by Hertz for “limited purposes,” the stolen information is extensive.
The data breach may include:
- Full names and contact details
- Dates of birth
- Driver’s license numbers
- Credit card information
- Workers’ compensation claim details
For some individuals, even more sensitive data was compromised, including:
- Social Security numbers
- Government-issued ID numbers
- Passport information
- Medicare or Medicaid ID numbers
- Injury-related data from accident claims
Customer Protection Measures and Notifications
Although Hertz has found no current evidence of the stolen data being misused, the company has taken proactive steps. It is offering two years of free identity monitoring and dark web monitoring to affected customers.
In its public notice, Hertz urged customers to stay vigilant:
“We encourage you, as a best practice, to remain vigilant to the possibility of fraud or errors by reviewing your account statements and monitoring free credit reports for any unauthorized activity.”
The company has filed breach notifications with the Attorneys General of several states. While the full number of impacted individuals remains undisclosed, the filing to Maine’s AGO confirms at least 3,409 state residents were affected.
Hertz Clarifies Its Network Was Not Directly Compromised
Importantly, Hertz has emphasized that its internal systems were not breached. A spokesperson stated:
“To date, our forensic investigation has found no evidence that Hertz’s own network was affected. However, among many other companies affected by this event, we have confirmed that Hertz data was acquired by an unauthorized third party who exploited Cleo’s platform.”
Cleo and Cl0p: A Recurring Security Threat
The same Cl0p ransomware gang previously made headlines for its exploitation of the MOVEit Transfer vulnerability in 2023, which affected thousands of global organizations. These back-to-back campaigns highlight the danger posed by zero-day exploits and underscore the importance of vendor security in the broader digital ecosystem.
About Hertz Corporation
Hertz operates under the Hertz, Thrifty, and Dollar brands across global regions including North America, Europe, the Caribbean, Latin America, Africa, the Middle East, Asia, Australia, and New Zealand. The company’s reliance on external platforms like Cleo illustrates the complex, interconnected nature of modern enterprise IT systems—and the vulnerabilities that can arise as a result.
