Hertz reports that personal data and customer driver's licenses have been stolen in a security breach.
The car rental company attributed the breach to Cleo, whose customers suffered a data theft by a ransomware group in 2024.
Hertz, the well-known car rental company, has begun notifying its customers about a data breach that compromised their personal information, including driver's licenses. This situation is related to a cyberattack on one of its suppliers, which occurred between October and December 2024.
The stolen information varies by region but mostly includes Hertz customer names, birth dates, contact information, details of their driver's licenses, payment card data, and workers' compensation claims. Additionally, it was reported that a smaller number of customers had their Social Security numbers and other government identification numbers compromised.
Hertz has informed its customers in Australia, Canada, the European Union, New Zealand, and the United Kingdom about the incident. It has also publicly disclosed the issue to several U.S. states, including California and Maine. Although it was confirmed that at least 3,400 customers in Maine were affected, the company did not provide a total number of individuals impacted, which is likely considerably higher.
A spokesperson for Hertz, Emily Spencer, did not offer a specific number of affected individuals, but mentioned that it would be "inaccurate to state that millions" of customers are involved. The company attributed the breach to its vendor, Cleo, a software manufacturer that was implicated last year in a mass hacking campaign carried out by a ransomware group linked to Russia. Hertz was among the many organizations using Cleo's software at the time of the data breach.
The Clop ransomware gang claimed to have exploited a zero-day vulnerability in Cleo's file transfer products, allowing attackers to steal large volumes of data from this vendor's corporate clients. Shortly thereafter, Clop alleged that it had stolen data from nearly 60 companies by exploiting this flaw in Cleo's systems. In later posts, the gang indicated that there were more victim companies.
This data extortion case is considered one of the most significant mass hacks of 2024. At the time, when Hertz was mentioned on the Clop site, the company stated that there was no "evidence" that Hertz's data or systems had been compromised. However, a spokesperson recently confirmed that no evidence was found that Hertz's network was affected, although it did mention that Hertz's data "was acquired by an unauthorized third party who exploited zero-day vulnerabilities within Cleo's platform between October and December 2024." So far, an executive from Cleo has not responded to requests for information about the incident.