Hackers Steal Sensitive Customer Data in Hertz Security Breach

The Hertz Corporation, representing its Hertz, Dollar, and Thrifty brands, has disclosed a significant data breach involving Cleo Communications US, LLC (“Cleo”), a third-party vendor providing file transfer services.

The breach, confirmed on February 10, 2025, resulted from the exploitation of zero-day vulnerabilities in Cleo’s platform during October and December 2024, leading to the unauthorized acquisition of Hertz data by a third party.

Technical Details: Zero-Day Exploits and Data Compromise

A zero-day vulnerability refers to a previously unknown security flaw in software that is exploited before the vendor becomes aware and can issue a patch.

In this incident, attackers leveraged such vulnerabilities in Cleo’s file transfer platform, bypassing existing security controls and gaining unauthorized access to sensitive data.

The breach was not detected until months after the initial compromise, highlighting the challenges organizations face in defending against zero-day attacks.

Scope of Exposed Information

Following a comprehensive data analysis completed on April 2, 2025, Hertz determined that the compromised data may include:

• Name
• Contact information
• Date of birth
• Credit card information
• Driver’s license details
• Workers’ compensation claim information

A limited subset of individuals may have had even more sensitive data exposed, such as Social Security numbers, government identification numbers, passport information, Medicare or Medicaid IDs (linked to workers’ compensation claims), and injury-related information from vehicle accident claims1.

Response and Mitigation Measures

Upon confirmation of the breach, Hertz and Cleo initiated a thorough investigation and remediation process.

Cleo addressed the identified vulnerabilities, and Hertz notified law enforcement and relevant regulatory authorities.

As a precaution, Hertz has engaged Kroll to provide two years of complimentary identity monitoring or dark web monitoring services to potentially affected individuals.

Recommendations for Affected Individuals

Hertz advises all potentially impacted customers to remain vigilant against identity theft and fraud.

Recommended actions include:

• Regularly reviewing account statements and free credit reports for unauthorized activity.
• Placing a fraud alert on credit files, which requires businesses to verify identity before extending new credit.
• An initial fraud alert lasts one year, while an extended alert for identity theft victims lasts seven years.
• A credit freeze (security freeze), restricts access to credit reports without explicit authorization, thereby preventing new credit accounts from being opened in the individual’s name.
• This process is free under federal law but may delay legitimate credit applications.

To request a credit freeze, individuals must provide:

1. Full name (including suffixes)
2. Social Security number
3. Date of birth
4. Addresses from the past two to five years
5. Proof of current address (e.g., utility bill)
6. Government-issued ID copy
7. Police or investigative report if identity theft is involved

Contact information for the three major credit bureaus:

Bureau	Fraud Alert Address	Credit Freeze Address	Website	Phone
Equifax	P.O. Box 105069, Atlanta, GA 30348-5069	P.O. Box 105788, Atlanta, GA 30348-5788	equifax.com/personal/credit-report-services/	1-888-298-0045
Experian	P.O. Box 9554, Allen, TX 75013	P.O. Box 9554, Allen, TX 75013	experian.com/help/	1-888-397-3742
TransUnion	P.O. Box 2000, Chester, PA 19016	P.O. Box 160, Woodlyn, PA 19094	transunion.com/credit-help	1-800-916-8800

Legal Rights and Additional Resources

Under the Fair Credit Reporting Act (FCRA), individuals have the right to:

• Obtain a free credit report annually from each major bureau
• Dispute inaccurate or incomplete information
• Place fraud alerts or credit freezes at no cost
• Seek damages for violations

Victims of identity theft are encouraged to file police reports and notify the Federal Trade Commission (FTC) and their state Attorney General.

The FTC provides resources and complaint filing at www.consumer.gov/idtheft or 1-877-IDTHEFT (438-4338)1.

While Hertz has not detected any fraudulent use of the compromised data, the company urges all affected individuals to take proactive steps to safeguard their personal information.

The incident underscores the persistent threat posed by zero-day vulnerabilities and the importance of robust vendor risk management and rapid incident response.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Hackers Steal Sensitive Customer Data in Hertz Security Breach appeared first on Cyber Security News.