Car rental giant Hertz says vendor data breach impacted customers' personal information

Car rental giant Hertz said it suffered a significant data security incident that involved the Clop ransomware group exploiting a zero-day vulnerability in Cleo’s file transfer application to gain access to its customer records.

 

In a filing with the Offices of the Maine, California, Iowa and Texas Attorney Generals, Hertz said that it uses Cleo’s file transfer program to send and receive files securely. On February 10, the car rental giant concluded that the sensitive personal information of its customers were accessed by a threat actor who exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.

 

The company immediately launched an investigation, with assistance from external cyber security experts, to determine the scope of the incident and identify the affected individuals.

 

The investigation, which concluded on April 2, revealed that the sensitive personal information of its customers was accessed and stolen during the incident. The compromised data included names, contact information, dates of birth, credit card information, driver’s license information, information related to workers’ compensation claims, Social Security or other government identification numbers, passport information, Medicare or Medicaid ID and more.

 

While the company is yet to share the number of affected individuals, it revealed in the filing with the Maine state regulator that it has identified at least 3,409 Maine residents who were affected by the incident. The company also said that the incident impacted 96,665 Texas residents, 34,452 Massachusetts residents, and at least 500 residents of California.

 

“Hertz takes the privacy and security of personal information seriously. To that end, Hertz has confirmed that Cleo took steps to investigate the event and address the identified vulnerabilities. Hertz also reported this event to law enforcement and is in the process of reporting the event to relevant regulators,” reads the notice.

 

While the car rental company found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered two years of complimentary identity protection and credit monitoring services through Kroll to all affected individuals.