Hertz, the car rental giant, has started informing its customers about a data breach that exposed their personal information and driver’s licenses.
The data breach occurred in hertz due to a cyberattack on one of its vendors between October and December 2024. The stolen data varies by region but mainly includes customer names, birthdates, contact information, driver’s licenses, payment card details, and workers’ compensation claims. A smaller group of customers had their Social Security numbers and other government-issued IDs stolen.
Hertz posted notices about the breach on its websites across several regions, including Australia, Canada, the European Union, New Zealand, and the United Kingdom. The company also notified several U.S. states, including California, Maine, and Texas. In Maine, at least 3,400 customers were affected, and in Texas, approximately 96,665 customers were impacted. However, Hertz has not disclosed the total number of affected individuals, which is likely to be much higher.
Hertz spokesperson Emily Spencer stated that saying millions of customers were impacted would be inaccurate. Though she did not disclose the exact number of affected individuals.
The breach traced back to Cleo, a software vendor. The Russia-linked Clop ransomware gang targeted Cleo last year in a mass-hacking campaign. Hackers exploited a zero-day vulnerability in Cleo’s software. Many global organizations use this software to protect sensitive data. The Clop gang claimed responsibility for breaching almost 60 companies. They exploited vulnerabilities in Cleo’s enterprise file transfer products. These products help companies securely transfer large amounts of data online
At the time, Hertz stated it found no evidence that its systems were affected by the attack. However, the company confirmed that an unauthorized third party stole data by exploiting the security flaws in Cleo’s platform between October and December 2024.
A representative from Cleo did not respond to inquiries about the breach.
