Hertz says hackers stole customer credit card and driver’s license data

Hertz has confirmed that a data breach occurred between October 2024 and December 2024, where hackers stole customer credit card and driver’s license data.
The breach may have exposed personal information including names, contact information, dates of birth, credit card details, driver’s license details, and Social Security numbers.
A “very small number” of individuals had their passport numbers and other government-issued identification data taken in the breach, according to Hertz.
Hertz says it is not aware of any misuse of personal information for fraudulent purposes, but is reporting the incident to law enforcement and regulators.
The group responsible for the cyberattack has not been identified, and Cleo Communications has since addressed the vulnerabilities that were exploited in the breach.

SAN DIEGO, CALIFORNIA – FEBRUARY 28: A Hertz logo is displayed outside a rental shop on February 28, 2025 in San Diego, California. (Photo by Kevin Carter/Getty Images)

Hertz says it’s “not aware of any misuse of personal information” stemming from the breach. | Image: Getty Images

Car rental giant Hertz is alerting customers that personal information including credit card details and Social Security numbers may have been stolen in a data breach that impacted one of the firm’s vendors. In a notice posted to its website, Hertz says that company data “was acquired by an unauthorized third-party” during a cyberattack exploiting zero-day vulnerabilities within the Cleo Communications file transfer platform between October 2024 and December 2024.

The data theft was confirmed by Hertz on February 10th, with further analysis on April 2nd concluding that customers’ names, contact information, dates of birth, credit card information, driver’s license details, and information related to workers’ compensation claims may have been exposed by the breach. Hertz also says that “a very small number of individuals” had their Social Security numbers taken in the breach, along with passport numbers and other government-issued identification data.

Hertz says that the incident is being reported to law enforcement and relevant regulators, and that Cleo has since addressed “the identified vulnerabilities.”

The website notice is viewable across multiple regions, including the US, Canada, the European Union, the United Kingdom, and Australia. Hertz has not revealed how many of its customers have been impacted by the breach but says it is “not aware of any misuse of personal information for fraudulent purposes in connection with the event.” We have asked Hertz to clarify how many customers are affected.

The group or individual responsible for the cyberattack has not been identified. Cleo, which is used by a wide range of global organizations, was notably targeted by a mass-hacking campaign in October last year. The Russia-affiliated Clop ransomware gang later claimed responsibility for those attacks, leaking Cleo company data on its extortion site and listing 59 organizations it claimed to have breached via vulnerabilities in Cleo’s platform.

link

Q. What type of data was stolen in the Hertz data breach?

A. Personal information including credit card details, Social Security numbers, names, contact information, dates of birth, driver’s license details, and information related to workers’ compensation claims.

Q. How did the data breach occur?

A. The data breach occurred due to a cyberattack exploiting zero-day vulnerabilities within the Cleo Communications file transfer platform between October 2024 and December 2024.

Q. Which regions are affected by the data breach?

A. The website notice is viewable across multiple regions, including the US, Canada, the European Union, the United Kingdom, and Australia.

Q. Has Hertz revealed how many customers have been impacted by the breach?

A. No, Hertz has not revealed how many of its customers have been affected by the breach, but says it is “not aware of any misuse of personal information for fraudulent purposes in connection with the event.”

Q. Is Hertz aware of any misuse of personal information stemming from the breach?

A. According to Hertz, it is “not aware of any misuse of personal information” stemming from the breach.

Q. Has Cleo addressed the identified vulnerabilities?

A. Yes, Cleo has since addressed “the identified vulnerabilities” following a mass-hacking campaign in October last year.

Q. Who or what group is responsible for the cyberattack?

A. The group or individual responsible for the cyberattack has not been identified.

Q. How many organizations was Cleo targeted by the mass-hacking campaign?

A. According to Cleo, 59 organizations were breached via vulnerabilities in Cleo’s platform as a result of the mass-hacking campaign.

Q. Has Hertz reported the incident to law enforcement and relevant regulators?

A. Yes, Hertz has reported the incident to law enforcement and relevant regulators.