Car rental giant Hertz has informed customers of a data breach stemming from a cyberattack on its third-party vendor, Cleo Communications. The breach, occurring between October and December 2024, compromised personal data, including names, contact information, driver’s license numbers, and payment card details. A smaller subset of customers also had their Social Security numbers and other government-issued IDs exposed.
The breach affected customers across multiple regions, including Australia, Canada, the European Union, New Zealand, the United Kingdom, and several U.S. states such as California and Maine. In Maine alone, at least 3,400 individuals were impacted. Hertz has not disclosed the total number of affected customers but emphasized that its internal systems remained secure, with no evidence of data misuse to date.
The Clop ransomware gang exploited zero-day vulnerabilities in Cleo’s file transfer software—specifically CVE-2024-50623 and CVE-2024-55956—to infiltrate systems and exfiltrate data. These vulnerabilities allowed attackers to execute remote code and gain unauthorized access to sensitive information. Clop has since claimed responsibility for similar attacks on over 60 organizations using Cleo’s platforms.
Hertz is collaborating with cybersecurity experts to investigate the incident and has advised customers to monitor their accounts for suspicious activity. The company is also reviewing its vendor relationships to enhance data security measures.
