Hertz Notifies Customers of Data Breach Linked to Vendor CyberattackCar rental giant Hertz is alerting customers about a data breach that compromised sensitive personal information, including driver’s license and payment details. The breach stems from a cyberattack on one of the company’s third-party vendors, which occurred between October and December 2024.
In notices posted on its websites, Hertz — which also owns the Dollar and Thrifty brands — revealed that the stolen data may include customer names, birth dates, contact details, driver’s license numbers, payment card information, and in some cases, Social Security numbers and other government-issued IDs. Certain workers’ compensation claim data was also compromised.
The breach affects customers across multiple regions, including Australia, Canada, the EU, New Zealand, and the UK. In the United States, disclosures have been filed with several state regulators, including California and Maine, with the latter reporting at least 3,400 residents impacted. Hertz has not provided a global figure but emphasized that it would be “inaccurate to say millions” were affected.
According to Emily Spencer, a Hertz spokesperson, the breach originated from a cyberattack on Cleo, a software vendor whose enterprise file transfer tools were exploited by the Clop ransomware gang, a group linked to Russia. The gang reportedly used a zero-day vulnerability in Cleo’s platform to steal data from dozens of corporate clients during a wide-reaching campaign in 2024 — one of the year’s most prominent mass-hacks.
Hertz was initially listed on Clop’s dark web leak site, but at the time, the company claimed there was “no evidence” its systems or data had been impacted. However, as of this week, Hertz has confirmed that customer data was indeed compromised as a result of vulnerabilities in Cleo’s platform.
The company maintains that its own internal systems remain unaffected by the incident.
