Car rental giant Hertz has officially confirmed a significant data breach, exposing the personal information and driver’s licenses of customers across multiple regions. The incident, which occurred between October and December 2024, stems from a cyberattack targeting a third-party vendor used by the company.
Scope of the Exposed Data
The breach affects customers of Hertz, as well as its subsidiary brands, Dollar and Thrifty. According to official notices released by the company, the stolen data varies by region but generally includes:
- Customer names and dates of birth
- Contact information
- Driver’s license details
- Payment card information
- Workers’ compensation claims
In a subset of cases, attackers also obtained Social Security numbers and other government-issued identification documents.
Global Impact and Affected Regions
Hertz has issued formal disclosure notices to customers residing in the Australia, Canada, the European Union, New Zealand, and the United Kingdom markets. In the United States, specific filings confirm at least 3,400 affected individuals in Maine and 96,665 in Texas. While Hertz has not provided a total global count, a company spokesperson stated it would be “inaccurate to say millions” were impacted.
The Cleo Vendor Connection
The breach is directly linked to a vulnerability within software maker Cleo. The Clop ransomware gang, a Russia-linked group, exploited a zero-day vulnerability in Cleo’s enterprise file transfer products—tools designed for sharing large sets of sensitive data.
This incident is part of a broader, high-profile mass-hacking campaign from 2024 that targeted nearly 60 companies utilizing Cleo’s infrastructure. Although Hertz initially stated it had “no evidence” of a breach when the campaign first surfaced, the company has since clarified that its internal network remained secure. Instead, the unauthorized third party acquired the data specifically through the compromised Cleo platform.
Cleo has not responded to requests for comment regarding the security failures within its systems.