Hertz Says Customers' Personal Data and Driver's Licenses Stolen in Data Breach

Car rental giant Hertz has begun notifying its customers of a devastating data breach that has compromised their sensitive information. The breach, which was carried out by an unauthorized third party using zero-day vulnerabilities within Cleo's platform, has left thousands of customers vulnerable to identity theft and financial loss.

The breach, which occurred between October 2024 and December 2024, affected a significant number of customers across several regions, including Australia, Canada, the European Union, New Zealand, and the United Kingdom. In the United States, Hertz reported that at least 3,400 customers in Maine were affected, while an estimated 96,665 customers in Texas were also impacted.

According to notices on Hertz's website, the stolen data includes customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. A smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers.

Hertz attributed the breach to Cleo, a software maker that was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang last year. The Clop ransomware gang claimed to have exploited a zero-day vulnerability in Cleo's widely used enterprise file transfer products, allowing it to steal reams of data from corporate customers.

The breach has raised serious concerns about the security of Hertz's systems and the potential for identity theft and financial loss. While Hertz stated that it found no evidence that its own network was affected by the breach, the company acknowledged that its data "was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo's platform in October 2024 and December 2024."

The incident has also highlighted the vulnerability of companies using Cleo's software to cyber attacks. Hertz is not alone in being affected, as dozens of other companies were targeted by the Clop ransomware gang last year.

A Growing Concern for Data Security

As the number of data breaches continues to rise, concerns about data security are growing louder. The breach at Hertz highlights the need for companies to prioritize cybersecurity measures and protect their customers' sensitive information.

The incident also raises questions about the role of vendors like Cleo in perpetuating data breaches. As a software maker, Cleo has a responsibility to ensure that its products are secure and do not contain vulnerabilities that can be exploited by cyber attackers.

What You Need to Know

If you are a customer of Hertz, it is essential to take immediate action to protect your personal data. Here are some steps you can take:

• Monitor your credit reports and accounts for any suspicious activity.
• Change all of your passwords and keep them confidential.
• Cancel any payment cards or services that were affected by the breach.
• Contact Hertz's customer service department to report any concerns or questions you may have.

We will continue to provide updates on this developing story as more information becomes available. In the meantime, customers are advised to remain vigilant and take steps to protect their personal data.