Hertz Hit by Data Breach Through Third-Party Software Vulnerability

Car rental leader Hertz has disclosed a significant cybersecurity incident resulting in the theft of sensitive customer data.

The company revealed in a recent data breach notification that unauthorised access occurred through Cleo Communications, a third-party software provider that supplied file transfer services to Hertz "for limited purposes."

According to the report, attackers exploited a zero-day vulnerability in the Cleo platform to extract sensitive information during October and December 2024. The breach went undetected until mid-February 2025, triggering an investigation that confirmed customer data had been compromised.

"We completed this data analysis on April 2, 2025, and concluded that the personal information involved in this event may include the following: name, contact information, date of birth, credit card information, driver's license information and information related to workers' compensation claims," the company stated in its announcement.

Hertz added: "A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers' compensation claims), or injury-related information associated with vehicle accident claims impacted by the event."

The full scope of the breach remains unclear. When questioned about the number of affected customers, a Hertz spokesperson stated it would be "inaccurate to say millions" of customers were impacted.

Details about the attackers and their specific methods remain unknown. The extended time between the breach and its discovery suggests this was likely not a ransomware attack but rather a targeted data theft operation.

In response, Hertz is offering potentially affected individuals two years of complimentary identity monitoring and dark web monitoring services through Kroll.

As of this writing, there has been no evidence indicating misuse of the stolen information.

What makes this breach particularly concerning is how long it went undetected, nearly four months from initial compromise to discovery. How many other organisations might be harbouring similar undetected breaches through their third-party vendors?

Via tech crunch