Hertz Discloses Data Breach Exposing Customers' Personal Information, Driver's Licenses

Car rental giant Hertz has announced that it has suffered a major data breach, exposing the personal information and driver's licenses of customers across several regions. The incident was triggered by a cyberattack on one of its vendors, Cleo, between October and December 2024.

The breach, which has been linked to a mass-hacking campaign by the Russia-linked Clop ransomware gang, has compromised various types of personal data belonging to Hertz customers in regions including the United States, Australia, Canada, the EU, New Zealand, and the UK. The affected information includes customer names, dates of birth, contact details, driver's licenses, payment card information, and workers' compensation claims.

A smaller subset of customers also had their Social Security numbers and other government-issued identification numbers stolen in the breach. While Hertz did not provide an exact number of affected individuals, a company spokesperson stated that it would be inaccurate to suggest that millions of customers were impacted. However, disclosures made to several U.S. states, such as California and Maine, indicate that the breach likely affected a significant number of people.

The data breach has been traced back to Cleo, a software maker that fell victim to the mass-hacking campaign. The hackers exploited a zero-day vulnerability in Cleo's widely used enterprise file transfer products, which are designed to facilitate the sharing of large sets of sensitive data over the internet. By breaching these systems, the attackers were able to steal vast amounts of data from Cleo's corporate customers.

Hertz, along with dozens of other companies using Cleo's software at the time, had their data stolen during this campaign. Initially, when the Clop ransomware gang named Hertz as one of the victims on its dark web leak site, the car rental company stated that it had no evidence of its data or systems being affected.

However, Hertz has now confirmed that its data was indeed acquired by an unauthorized third party that exploited the zero-day vulnerabilities in Cleo's platform. The Clop ransomware gang's data extortion campaign, which claimed close to 60 companies as victims in its initial phase and dozens more in a subsequent post, became one of the most notable mass-hacks of 2024.

The incident highlights the importance of third-party risk management and the potential for widespread damage when vulnerabilities in widely used software are exploited by malicious actors. Hertz has emphasized that there is no evidence of its own network being affected by the breach and that the compromised data was accessed through the exploitation of vulnerabilities in Cleo's platform.

The company is now in the process of notifying affected customers and has likely begun implementing measures to mitigate the impact of the breach and prevent future incidents. As the situation continues to unfold, Hertz customers are advised to monitor their accounts closely for any suspicious activity.

A Lesson in Third-Party Risk Management

The Hertz data breach serves as a stark reminder of the importance of third-party risk management in today's digital landscape. When vulnerabilities in widely used software are exploited by malicious actors, it can have devastating consequences for companies that rely on these third-party services.

In this case, Cleo's compromised systems provided an open invitation to the Clop ransomware gang, allowing them to steal vast amounts of sensitive data from Hertz and other affected customers. The incident highlights the need for companies to carefully vet their third-party vendors and implement robust security measures to protect against such breaches.

By prioritizing third-party risk management, companies can reduce the likelihood of similar incidents occurring in the future and minimize the damage caused by a breach. Hertz's response to this incident demonstrates its commitment to protecting its customers' data and preventing future breaches.