Hertz Confirms Data Breach Exposing Customer PII in Cleo File Transfer Exploit
Car rental company Hertz Corporation has confirmed a data breach that compromised personal information of customers tied to its Hertz, Thrifty, and Dollar brands. The incident stemmed from a zero-day vulnerability in third-party file transfer software provided by Cleo.
“On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024,” stated the company’s data breach notification.
Hertz data leaked on Clop data leak site
Source: BleepingComputer
Hertz immediately began analyzing the stolen data to identify affected individuals and the extent of the exposure.
Details of Compromised Information
The breach resulted in exposure of sensitive data, which may vary per individual. According to Hertz, the following types of personal information were potentially accessed:
- Full names
- Contact details
- Date of birth
- Credit card details
- Driver’s license information
- Workers’ compensation-related information
Additionally, a limited subset of customers may have had more sensitive data exposed:
“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID… or injury-related information associated with vehicle accident claims impacted by the event,” the company warned.
Scope of the Breach and Ransomware Group Involvement
While the total number of impacted individuals remains undisclosed, the Maine Attorney General’s Office reported 3,409 residents were notified. Similar notifications were issued in California and Vermont as well.
Hertz reports no signs of fraudulent use of the data so far. However, the Clop ransomware gang, known for prior extortion-based cyberattacks, has allegedly published stolen Hertz data on its leak site.
The Clop group exploited zero-day flaws in Cleo Harmony, VLTrader, and LexiCom platforms. This mass exploitation campaign affected at least 66 organizations, including companies like WK Kellogg, Western Alliance Bank, and Sam’s Club.
Preventive Measures and Response
In response to the incident, Hertz is offering two years of complimentary identity monitoring services to affected individuals. The company urges customers to stay alert to any signs of identity theft or fraud.
Clop’s History of Targeted Data Theft
Clop (also known as TA505 or Cl0p) has shifted from ransomware encryption to data theft attacks since 2020. They have a history of exploiting zero-day vulnerabilities in secure file transfer software, including:
- MOVEit Transfer
- GoAnywhere MFT
- SolarWinds Serv-U
- Accellion FTA
Their motive remains the same: stealing sensitive enterprise data and using it to extort organizations for ransom.
