Car rental giant Hertz Corporation has confirmed a data breach affecting customer data for its Hertz, Thrifty, and Dollar brands after an unauthorized third party exploited zero-day vulnerabilities in Cleo’s platform.
On February 10, 2025, Hertz confirmed that its data was acquired by an unauthorized third party that exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024. Hertz immediately began analyzing the data to determine the scope of the event and to identify individuals whose personal information may have been impacted.
The stolen data varies per individual but may contain customers’ names, contact information, date of birth, credit card information, driver’s license information, and information related to workers’ compensation claims. Additionally, a small number of individuals may have had their Social Security numbers or government identification stolen. “A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event,” warned Hertz.
While Hertz has not disclosed the total number of customers impacted, Maine’s Attorney General’s Office reports that 3,409 people in the state are receiving notifications. Notifications were also sent to individuals in California and Vermont, though the number of impacted individuals in these states was not reported.
In response to the breach, Hertz is offering affected customers two years of free identity monitoring services and advising them to be vigilant for potential fraud. Despite Hertz’s assertion that it has not detected “any misuse of personal information for fraudulent purposes,” the Clop ransomware gang has already leaked Hertz’s data on their extortion site.
The data breach was caused by the exploitation of zero-day vulnerabilities in Cleo managed file transfer platforms, including Cleo Harmony, VLTrader, and LexiCom, in October 2024. Clop claimed responsibility for the attacks, stating they stole data from 66 companies. Other companies that have confirmed or are investigating data breaches linked to the Cleo data theft attacks include Western Alliance Bank, WK Kellogg Co, and Sam’s Club.
The Clop ransomware gang, also known as TA505 and Cl0p, has shifted its focus from ransomware attacks to data theft attacks since 2020, targeting previously unknown zero-day vulnerabilities in secure file transfer platforms to steal data. This stolen data is then used to extort companies for millions of dollars to prevent the files from leaking. Clop has previously targeted secure file transfer platforms like MOVEit Transfer, GoAnywhere MFT, SolarWinds Serv-U, and Accelion FTA.
