Hertz, the car rental giant that also owns the Dollar and Thrifty brands, is notifying customers of a data breach that compromised their personal information and driver’s licenses.
TechCrunch reports that Hertz has disclosed a data breach stemming from a cyberattack on one of its vendors, Cleo, between October and December 2024. The breach exposed various types of personal data belonging to Hertz customers in several regions, including the United States, Australia, Canada, the EU, New Zealand, and the UK.
The compromised information varies by region but generally includes customer names, dates of birth, contact details, driver’s licenses, payment card information, and workers’ compensation claims. A smaller subset of customers also had their Social Security numbers and other government-issued identification numbers stolen in the breach.
While Hertz did not provide an exact number of affected individuals, a company spokesperson stated that it would be inaccurate to suggest that millions of customers were impacted. However, disclosures made to several U.S. states, such as California and Maine, indicate that the breach likely affected a significant number of people, with at least 3,400 customers in Maine alone being impacted.
The data breach has been traced back to Cleo, a software maker that fell victim to a mass-hacking campaign by the Russia-linked Clop ransomware gang in 2024. The hackers exploited a zero-day vulnerability in Cleo’s widely used enterprise file transfer products, which are designed to facilitate the sharing of large sets of sensitive data over the internet. By breaching these systems, the attackers were able to steal vast amounts of data from Cleo’s corporate customers.
Hertz, along with dozens of other companies using Cleo’s software at the time, had their data stolen during this campaign. Initially, when the Clop ransomware gang named Hertz as one of the victims on its dark web leak site, the car rental company stated that it had no evidence of its data or systems being affected. However, Hertz has now confirmed that its data was indeed acquired by an unauthorized third party that exploited the zero-day vulnerabilities in Cleo’s platform.
The Clop ransomware gang’s data extortion campaign, which claimed close to 60 companies as victims in its initial phase and dozens more in a subsequent post, became one of the most notable mass-hacks of 2024. The incident highlights the importance of third-party risk management and the potential for widespread damage when vulnerabilities in widely used software are exploited by malicious actors.
Hertz has emphasized that there is no evidence of its own network being affected by the breach and that the compromised data was accessed through the exploitation of vulnerabilities in Cleo’s platform. The company is now in the process of notifying affected customers and has likely begun implementing measures to mitigate the impact of the breach and prevent future incidents.
Read more at TechCrunch here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.
