Hertz Confirms Data Breach After Hackers Stole Customer Pii

Hertz confirms information breach linked to Cleo package flaw; Cl0p ransomware group leaked stolen data, exposing names, driver’s licenses, and in installments paper details.

Car rental institution Hertz has announced that immoderate of its customers’ backstage specifications were accessed without permission. This happened because of vulnerabilities successful Cleo Communications US, LLC (Cleo), a institution that provides package services to Hertz.  

It is worthy noting that successful December 2024, nan Cl0p ransomware group claimed responsibility for exploiting vulnerabilities successful Cleo’s managed record transportation software, starring to nan theft of ample amounts of firm data. A fewer days later, nan group published nan stolen Hertz information archive connected its acheronian web leak site.

Cl0p ransomware pack connected its acheronian web leak tract (Image credit: Hackread.com)

In its charismatic press release (PDF), Hertz, which besides owns Dollar and Thrifty car rental brands, explained that Cleo runs a strategy that Hertz uses to nonstop files for circumstantial tasks. On February 10, 2025, Hertz recovered retired that immoderate of its information was taken by an unauthorised individual, who Hertz believes took advantage of weaknesses, called zero-day vulnerabilities, successful its package and were exploited successful October 2024 and December 2024.

Right aft detecting suspicious activity, Hertz launched an investigation to understand what happened and what accusation could beryllium exposed. This investigation concluded connected April 2, 2025, revealing that accessed information whitethorn see names, interaction details, commencement dates, in installments paper numbers, and driver’s licence information.

“A very mini number of individuals whitethorn person had their Social Security aliases different authorities recognition numbers, passport information, Medicare aliases Medicaid ID (associated pinch workers’ compensation claims), aliases injury-related accusation associated pinch conveyance mishap claims,” whitethorn besides beryllium impacted, nan institution explained.

Hertz confirmed that Cleo is investigating nan rumor and fixing nan package problems, and that they person already reported this information breach to nan constabulary and different authorities agencies. To beryllium other careful, Hertz is offering 2 years of free personality monitoring aliases acheronian web monitoring services to group who mightiness beryllium affected, done a institution called Kroll.  

Notably, a data breach notification revenge pinch nan Maine Attorney General reveals that 3,409 residents of Maine were affected by this information breach. Because this number exceeds 1,000, Hertz has notified user reporting agencies, arsenic required by rule successful Maine. The breach is categorised arsenic an “External strategy breach (hacking),” according to nan Maine Attorney General’s filing, providing a clearer knowing of nan quality of nan information incident.

Herts claims that astatine nan moment, location is nary grounds that anyone’s accusation has been utilized to perpetrate fraud. The institution besides recommends checking relationship statements and in installments reports regularly and has provided a telephone number, 866-408-8964, to telephone if you person much questions.

You tin besides put a fraud alert connected their in installments record for free, nan institution notes. An first alert lasts for 1 year. To group up a fraud alert, you request to interaction Equifax, Experian, aliases TransUnion. 

Another action is to put a “credit freeze” connected your in installments report. This stops in installments bureaus from sharing accusation without nan person’s permission. This tin thief forestall caller in installments accounts from being opened successful someone’s sanction without their knowledge. However, Hertz warns that a in installments frost mightiness hold aliases forestall nan support of caller loans aliases in installments if you request them quickly.

Thomas Richards, Infrastructure Security Practice Director astatine Black Duck, a Burlington, Massachusetts-based supplier of exertion information solutions, commented connected nan latest development, stating:

“It’s incredibly unfortunate that customers had their delicate accusation compromised successful specified an attack. Data is simply a shape of rate for cybercriminals, and therefore, it is basal that each organisations harbouring delicate accusation negociate their package consequence by taking measures to amended their cybersecurity posture to forestall a discuss for illustration this from happening again.”