Car rental giant Hertz has notified its customers of a data breach that involved the theft of their personal information, including driver’s licenses. The breach occurred due to a cyberattack on one of its vendors, software provider Cleo, between October and December 2024. Hertz owns brands such as Dollar and Thrifty, and the breach affects customers globally. TechCrunch reported on the breach details, highlighting its global impact.
The stolen data varies by region, but primarily includes customer names, dates of birth, contact information, driver’s licenses, payment card details, and workers’ compensation claims. A smaller subset of customers also had their Social Security numbers and other government-issued identification numbers taken. This breach is a part of a larger wave of data thefts linked to Cleo’s software vulnerabilities.
Hertz disclosed the breach to customers in several countries, including Australia, Canada, the European Union, New Zealand, and the United Kingdom, as well as several U.S. states, including California and Maine. In Maine, at least 3,400 customers were affected, though the total number of impacted individuals is expected to be higher. However, Emily Spencer, a spokesperson for Hertz, refrained from providing a precise count of affected individuals, stating that it would be “inaccurate to say millions” were impacted. Hertz’s official notification on their website further outlines the details.
The breach was attributed to Cleo, a software company that Hertz uses. Cleo’s enterprise file transfer software was exploited by the Clop ransomware gang, which took advantage of a zero-day vulnerability between October and December 2024. The gang’s attack on Cleo’s systems affected multiple companies, with Cleo claiming to have stolen data from nearly 60 organizations during the mass-hacking campaign.
Despite being named by Clop’s dark web leak site, Hertz had initially denied any evidence that its data or systems had been compromised. However, the company has since confirmed that data was stolen by an unauthorized third party who exploited vulnerabilities within Cleo’s platform. Hertz maintained that no evidence suggests its own network was breached.
Also Read : The xAI–X Merger: A Strategic Bet on Musk’s Empire
