The breach, confirmed on February 10, 2025, resulted from the exploitation of zero-day vulnerabilities in Cleo’s platform during October and December 2024, leading to the unauthorized acquisition of Hertz data by a third party.
A zero-day vulnerability refers to a previously unknown security flaw in software that is exploited before the vendor becomes aware and can issue a patch.
In this incident, attackers leveraged such vulnerabilities in Cleo’s file transfer platform, bypassing existing security controls and gaining unauthorized access to sensitive data.
The breach was not detected until months after the initial compromise, highlighting the challenges organizations face in defending against zero-day attacks.
Following a comprehensive data analysis completed on April 2, 2025, Hertz determined that the compromised data may include:
A limited subset of individuals may have had even more sensitive data exposed, such as Social Security numbers, government identification numbers, passport information, Medicare or Medicaid IDs (linked to workers’ compensation claims), and injury-related information from vehicle accident claims1.
Upon confirmation of the breach, Hertz and Cleo initiated a thorough investigation and remediation process.
Cleo addressed the identified vulnerabilities, and Hertz notified law enforcement and relevant regulatory authorities.
As a precaution, Hertz has engaged Kroll to provide two years of complimentary identity monitoring or dark web monitoring services to potentially affected individuals.
Hertz advises all potentially impacted customers to remain vigilant against identity theft and fraud.
Recommended actions include:
To request a credit freeze, individuals must provide:
Contact information for the three major credit bureaus:
| Bureau | Fraud Alert Address | Credit Freeze Address | Website | Phone |
|---|---|---|---|---|
| Equifax | P.O. Box 105069, Atlanta, GA 30348-5069 | P.O. Box 105788, Atlanta, GA 30348-5788 | equifax.com/personal/credit-report-services/ | 1-888-298-0045 |
| Experian | P.O. Box 9554, Allen, TX 75013 | P.O. Box 9554, Allen, TX 75013 | experian.com/help/ | 1-888-397-3742 |
| TransUnion | P.O. Box 2000, Chester, PA 19016 | P.O. Box 160, Woodlyn, PA 19094 | transunion.com/credit-help | 1-800-916-8800 |
Under the Fair Credit Reporting Act (FCRA), individuals have the right to:
Victims of identity theft are encouraged to file police reports and notify the Federal Trade Commission (FTC) and their state Attorney General.
The FTC provides resources and complaint filing at www.consumer.gov/idtheft or 1-877-IDTHEFT (438-4338)1.
While Hertz has not detected any fraudulent use of the compromised data, the company urges all affected individuals to take proactive steps to safeguard their personal information.
The incident underscores the persistent threat posed by zero-day vulnerabilities and the importance of robust vendor risk management and rapid incident response.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Hackers Steal Sensitive Customer Data in Hertz Security Breach appeared first on Cyber Security News.
Originally announced at a Nintendo Direct all the way back in March 2025, Rhythm Heaven…
If you, like me, are looking to complete your Pokémon TCG binder, we may have…
Audiences are really loving Project Hail Mary’s Rocky, the sentient rock-based alien lifeform who charms…
Mozilla has released Firefox 150, addressing 41 security vulnerabilities, including multiple high-severity flaws that could…
A critical security vulnerability, tracked as CVE-2026-22752, has been discovered in Spring Security Authorization Server,…
Cybersecurity organization SEAL (Security Alliance) has issued a critical warning about a sustained and escalating…
This website uses cookies.