American car rental company Hertz has suffered a data breach linked to last year’s exploitation of Cleo zero-day vulnerabilities by a ransomware gang.
The breach resulted in information of an unknown number of customers of Hertz and Hertz’s subsidiaries Dollar and Thrifty to be compromised.
Hertz data breach notifications
“Cleo is a vendor that provides a file transfer platform used by Hertz for limited purposes,” the company shared – though it did not specify what those limited purposes were.
“On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.”
Hertz, which operates in 160+ countries around the world under various brands, has published notices aimed at customers in the US, EU, Canada, UK and Australia.
According to those notices, the following type of information was compromised:
- US individuals: name, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims compromised. “A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event,” Hertz added
- UK individuals: name, contact information, date of birth, driver’s license information and payment card information
- Canadian individuals: name, contact information, date of birth, credit card information and driver’s license information. Some of them “may have had their government identification numbers, injury-related information associated with vehicle accident claims or information related to worker’s compensation claims” compromised
- Australian and EU individuals: name, contact information, date of birth, driver’s license information and payment card information. Some of them may have had their passport information compromised
The data breach notification published on the website of the Office of the Maine Attorney General says that 3,409 Maine residents were affected.
Hertz Corporation did not share the total number of individuals affected by this breach, but it could be considerable given that the various notices were meant for customers across three continents.
The corporation says that they are “not aware of any misuse of personal information for fraudulent purposes in connection with the event”, but have urged affected customers – who were sent personalized notices – “to remain vigilant to the possibility of fraud or errors by reviewing account statements and monitoring credit reports for any unauthorized activity and reporting any such activity.”
Affected individuals will be provided identity monitoring or dark web monitoring services for two years at no charge.
