Car rental giant Hertz has alerted customers about a data breach involving one of its vendors, potentially compromising sensitive personal information such as credit card details and Social Security numbers. In a notice posted on its website, Hertz revealed that the breach occurred during a cyberattack exploiting zero-day vulnerabilities in the Cleo Communications file transfer platform between October 2024 and December 2024. The company stated that unauthorized third parties had accessed its data during this period.
Hertz confirmed the data theft on February 10th and conducted further analysis on April 2nd, which revealed that customers’ names, contact details, dates of birth, credit card information, driver’s license information, and data related to workers’ compensation claims may have been exposed. The breach also impacted a “very small number” of Social Security numbers, passport numbers, and other government-issued identification data.
The company has reported the incident to law enforcement and relevant regulators, while Cleo has since addressed “the identified vulnerabilities.” Despite this, Hertz has not disclosed the total number of affected customers but has assured that it is “not aware of any misuse of personal information for fraudulent purposes in connection with the event.”
The notice is accessible to customers in several regions, including the US, Canada, the European Union, the United Kingdom, and Australia. However, the identity of the group or individual behind the cyberattack remains unknown. Cleo, widely used by global organizations, was previously targeted in a mass-hacking campaign in October 2024. The Russia-affiliated Clop ransomware gang later claimed responsibility for those attacks, leaking Cleo company data on its extortion site and naming 59 organizations it claimed to have breached through vulnerabilities in Cleo’s platform.
