Posted in Tech News

Hertz Data Breach Exposes Customer Credit Card And License Information In Vendor Cyberattack

on
Caroline Bennett

A Global Data Breach Puts Hertz Customers At Risk

In a troubling revelation that has sparked international concern, car rental giant Hertz has confirmed that sensitive customer data was compromised in a cybersecurity incident. The breach occurred between October and December 2024 and targeted a third-party vendor used by the company—Cleo Communications. Hackers exploited zero-day vulnerabilities in Cleo’s file transfer platform, ultimately gaining access to private customer information including credit card details and driver’s license numbers.

Hertz publicly confirmed the data theft on February 10, 2025, and released a more detailed update after internal analysis concluded on April 2. The company has notified law enforcement and relevant regulatory bodies in the United States, Canada, the United Kingdom, the European Union, and Australia. While the full extent of the breach remains unclear, the incident has raised concerns about how companies manage and protect consumer data in a connected digital ecosystem.

What Data Was Exposed In The Hertz Breach?

According to Hertz’s official notice, the hackers obtained a wide array of customer data. The compromised information includes:

  • Names and contact details
  • Dates of birth
  • Credit card numbers and expiration dates
  • Driver’s license numbers
  • Details linked to workers’ compensation claims
  • Government-issued IDs, including a limited number of Social Security and passport numbers

The company emphasized that only “a very small number” of individuals had their Social Security or passport numbers accessed. However, any exposure of such sensitive documents poses a serious risk for identity theft and fraud. Notably, Hertz has not disclosed how many customers were affected globally but maintains that it has not yet found evidence of fraudulent misuse related to the breach.

This attack highlights the increasing use of third-party platforms as entry points for cybercriminals, underlining the urgent need for continuous vendor security assessment. The breach is another cautionary tale, particularly relevant to companies handling large volumes of personally identifiable information.

How Cleo’s Platform Became The Breach Gateway

The breach originated from Cleo Communications, a file transfer platform utilized by many global corporations. Hackers reportedly exploited previously unknown vulnerabilities, known as zero-day flaws, in Cleo’s system to infiltrate data repositories. These vulnerabilities were active and unpatched during the period from October to December 2024, giving attackers a wide window of opportunity.

Cleo has since stated that it has resolved the security issues and strengthened its platform’s protection layers. However, this incident has prompted scrutiny into how many companies rely on third-party vendors without consistent oversight.

Interestingly, Cleo was already under the radar of cybersecurity experts due to an October 2024 mass-hacking campaign. The Clop ransomware group, believed to have affiliations with Russian cybercrime syndicates, later claimed responsibility for breaching Cleo and leaking sensitive data from over 50 organizations.

The implications of this event go far beyond Hertz. It shines a spotlight on the risks inherent in the modern digital supply chain, where companies are interconnected via platforms, APIs, and shared infrastructure that could inadvertently become attack vectors.

Hertz’s Reaction And Global Legal Involvement

Following the confirmation of the breach, Hertz initiated a widespread notification campaign. Customers across the U.S., Canada, the European Union, the United Kingdom, and Australia were informed of the potential exposure of their personal data. The firm has also filed reports with law enforcement agencies and data protection regulators in these jurisdictions.

Cybersecurity incidents involving personal data often trigger legal obligations under international regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). While Hertz has stated it is unaware of any current misuse of the stolen data, investigations are still ongoing.

Affected customers are being advised to closely monitor their bank statements, credit reports, and other sensitive accounts for any signs of suspicious activity. In some regions, Hertz is offering free credit monitoring and identity theft protection services as a precaution.

The breach not only poses legal and reputational challenges for Hertz, but also revives ongoing debates about corporate responsibility in protecting consumer data, especially when outsourcing critical infrastructure to third parties.

Cybersecurity Lessons For Businesses And Consumers

This breach reinforces an essential truth—cybersecurity is not just about internal protection. Businesses must also extend their risk management strategies to vendors and third-party platforms. Routine security audits, real-time threat detection, and zero-trust frameworks can significantly reduce the chances of a successful attack.

For consumers, the incident serves as a wake-up call to remain proactive about personal data. Simple steps like using virtual cards, enabling two-factor authentication, and periodically reviewing your credit history can offer added layers of security.

Moreover, individuals should be wary of phishing attempts, which often follow major breaches. Scammers might use stolen details to impersonate companies and trick customers into providing additional sensitive information.

As cybercrime grows more sophisticated, businesses and consumers alike must evolve to adapt to the shifting digital threat landscape.

Frequently Asked Questions (FAQ)

1. What Should I Do If I Rented A Car From Hertz Recently?

If you rented a vehicle from Hertz between October and December 2024, monitor your email and physical mail for notices from the company. You should also check your credit reports and bank statements for unusual activity.

2. How Do I Know If My Data Was Stolen?

Hertz has stated it is reaching out to impacted customers individually. If you have not yet received a notification, your data may not have been exposed. However, stay alert and follow precautionary measures just in case.

3. Was The Clop Ransomware Group Involved?

While Clop has previously attacked Cleo, Hertz has not officially confirmed who is behind this breach. However, the timing and methodology suggest a potential link to the same campaign.

4. Is Hertz Offering Compensation?

In some countries, Hertz is providing complimentary credit monitoring and identity protection services for affected customers. Check your regional Hertz website or contact customer support for more information.

5. Has Cleo Fixed The Vulnerabilities?

Yes. Cleo has stated that it patched the exploited vulnerabilities and is reinforcing its cybersecurity posture to prevent similar breaches in the future.

Vigilance Is Key In A Digital Age

The Hertz data breach is a clear reminder that no organization, no matter how large, is immune to cyber threats. While Hertz and Cleo are taking corrective actions, the onus is now on businesses worldwide to reassess their cybersecurity frameworks and vendor relationships. At the same time, consumers must remain cautious, informed, and ready to act in the face of digital vulnerabilities.

As investigations continue and more details emerge, it is essential to learn from this breach and invest in stronger, more resilient data protection systems moving forward.

Post Views: 38

You May Also Like

More From Author

The Last of Us Season 2: Unveiling Abby’s Story and What to Expect from HBO’s Next Chapter

OpenAI Unveils GPT-4.1: Smarter, Cheaper, and a Leap Ahead in Multimodal AI