Car rental giant Hertz has started informing customers about a significant data breach involving sensitive personal information and driver’s licenses. According to Hertz, the breach resulted from a cyberattack that targeted one of its third-party service providers between October and December 2024.
The compromised data varies by country and region but primarily includes customer names, birth dates, contact details, driver’s licenses, payment card data, and details relating to workers’ compensation claims. In certain instances, Social Security numbers and other government-issued identification documents were also exposed.
Hertz has posted official notices about the incident on its websites for affected customers in regions including North America, Australia, New Zealand, the United Kingdom, and the European Union, and has made similar disclosures to various U.S. state authorities. In one disclosure, the company confirmed that at least 3,400 customers in Maine were impacted; however, an overall count of affected customers was not provided. A Hertz spokesperson, Emily Spencer, declined to provide an exact figure but stated it would not be accurate to assume “millions” of customers had been affected.
The data breach has been attributed to Cleo Software, an external vendor serving corporate clients, including Hertz. Cleo Software became prominent in cybersecurity headlines last year due to a major ransomware attack by the Russia-linked cybercrime group known as Clop. During that incident, the gang reportedly exploited a critical, previously unknown flaw—known as a zero-day vulnerability—in Cleo’s widely-used enterprise file transfer software, which many businesses utilize to securely move large amounts of sensitive data online.
At the time of the cyberattack, Clop publicly claimed responsibility for infiltrating dozens of companies that used Cleo’s software, including Hertz. Initially, Hertz denied that their data or network systems were compromised. However, in a recent statement, Hertz acknowledged that an unauthorized attacker gained access to sensitive customer information by exploiting Cleo’s software vulnerabilities in late 2024, clarifying that their internal Hertz network was not directly breached.
Cleo has not yet responded publicly or to media inquiries regarding the incident.
