Car rental giant Hertz Corporation is facing a significant data breach that has compromised sensitive customer information across its Hertz, Thrifty, and Dollar brands. The breach, which was confirmed on February 10, 2025, resulted from exploited zero-day vulnerabilities within the Cleo platform, a software service used for file transfers.
According to Hertz's data breach notification, the unauthorized access occurred in October and December 2024, with the company only detecting the breach in mid-February 2025. This delay in detection has raised concerns about the effectiveness of cybersecurity measures in place. "On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo's platform," the company stated.
The data that may have been compromised varies by individual but could include names, contact information, dates of birth, credit card details, driver’s license information, and even sensitive data related to workers' compensation claims. Hertz has warned that a small number of individuals might also have had their Social Security numbers or government identification, passport information, Medicare or Medicaid IDs, or injury-related information associated with vehicle accident claims compromised.
Maine's Attorney General's Office reported that 3,409 residents in the state are receiving notifications regarding the breach. Notifications were also sent to individuals in California and Vermont, although those states did not disclose the number of affected individuals. Hertz has not provided an exact figure for the total number of customers impacted, stating it would be "inaccurate to say millions" are affected.
In response to the breach, Hertz is offering two years of free identity monitoring services to those potentially impacted. The company has advised customers to remain vigilant about potential fraud, although it noted that there has been no detected misuse of personal information for fraudulent purposes so far.
The breach highlights the ongoing threat posed by cybercriminals, particularly the Clop ransomware gang, which has a history of exploiting vulnerabilities in secure file transfer platforms. Clop, also known as TA505 and Cl0p, has been active since March 2019 and has shifted its focus towards data theft attacks since 2020. The group claimed responsibility for stealing data from 66 companies, including other notable entities like Western Alliance Bank, WK Kellogg Co, and Sam's Club.
Hertz's incident is part of a broader trend of increasing data breaches tied to zero-day vulnerabilities. In the past, Clop has targeted platforms such as MOVEit Transfer, GoAnywhere MFT, SolarWinds Serv-U, and Accelion FTA, indicating a pattern of exploiting security weaknesses to exfiltrate sensitive data.
The Cleo platform, which Hertz utilized for limited file transfer purposes, became a vector for the breach due to its vulnerabilities. The company has since begun analyzing the scope of the event and identifying individuals whose personal information may have been impacted.
As the investigation continues, cybersecurity experts emphasize the importance of robust security protocols, especially for companies handling sensitive customer data. The Hertz breach serves as a reminder of the potential consequences of inadequate cybersecurity measures and the need for constant vigilance in the face of evolving cyber threats.
In conclusion, the Hertz data breach not only raises questions about the company's cybersecurity practices but also highlights the broader issues of data protection in an increasingly digital world. Customers are urged to take advantage of the monitoring services offered and to stay alert for any signs of identity theft.
