Hertz Corporation, a leading global car rental company, is notifying customers and authorities of a data breach that exposed customers’ sensitive data.
Hackers stole Hertz customers’ names, contact information, date of birth, credit card information, and driver’s license information. According to data incident notifications, the data incident also involves information related to workers' compensation claims.
“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event,” Hertz said.
The company doesn’t disclose the total number of people affected. In a filing with the Maine Attorney General's Office, Hertz specified that 3,409 Maine residents were exposed.
The company has also released separate data incident notifications for the European Union, the United Kingdom, and other countries.
The data theft was confirmed on February 10th, 2025. Hertz explains that an unauthorized party exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024. Cleo provides a file transfer platform used by Hertz “for limited purposes.”
Cl0p ransomware is likely responsible for the attack
Cybernews previously reported that Cleo was hit by Russia-linked ransomware gang Cl0p. At the end of last year, the cybercriminals threatened to publicly release the data of around 60 companies unless they started engaging in ransom negotiations.
Although the list of companies posted on the hackers’ data leak site was redacted, it included “hertz####.”
Cleo software products are widely used for secure file transfer and business integration processes. The hackers leveraged critical zero-day vulnerabilities CVE-2024-50623 and CVE-2024-55956, which have a severity rating of 9.8 out of 10.
The bugs allowed unauthenticated attackers to import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the Autorun directory's default settings. There was also an unrestricted file upload and download that could lead to remote code execution.
Cleo claims to have more than 4,200 business customers. Last year, the company strongly advised them to immediately upgrade all instances of its software, such as Harmony, VLTrader, and LexiCom.
Cl0p’s Cleo campaign resembles the MOVEit attacks, one of the largest hacking campaigns ever. In 2023, they impacted over 2,600 organizations and 90 million individuals worldwide. The ransomware gang is said to have made between $75 and $100 million from the MOVEit hacks.
Currently, a post on Cl0p’s data leak site claims that Hertz and 56 other companies ignored ransom notifications and did not contact the gang. Therefore, it published the “full files.”
The Hertz Corporation owns Hertz, Dollar, and Thrifty brands. The company is offering affected customers two years of identity monitoring services at no cost.
“Hertz has confirmed that Cleo took steps to investigate the event and address the identified vulnerabilities. Hertz also reported this event to law enforcement and is in the process of reporting the event to relevant regulators,” the company said.
While unaware of any misuse of the stolen personal information, Hertz also warns customers of potential fraud and suggests reviewing account statements and signs for other unauthorized activity.
Your email address will not be published. Required fields are markedmarked