Hertz Corporation, one of the world’s largest vehicle rental companies, has confirmed a significant data breach affecting its Hertz, Thrifty, and Dollar brands.
The breach, linked to the notorious Clop ransomware gang, exposed sensitive customer information including drivers’ licenses and credit card details.
Hertz is one of the world’s largest mobility companies.
“Hertz pioneered the car rental industry, and the Hertz brand is one of the most recognized brands globally. For more than a century, Hertz has offered innovative, differentiated products in an effort to make every rental experience seamless and special,” the company’s description on LinkedIn reads.
According to a data breach notification [pdf] released by Hertz, the company discovered on February 10, 2025, that an “unauthorized third party” had accessed and acquired Hertz data by exploiting zero-day vulnerabilities in the Cleo platform during October and December 2024.
The notification states: “Cleo is a vendor that provides a file transfer platform used by Hertz for limited purposes. On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024. Hertz immediately began analyzing the data to determine the scope of the event and to identify individuals whose personal information may have been impacted.”
“Hertz immediately began analyzing the data to determine the scope of the event and to identify individuals whose personal information may have been impacted,” the company stated in its official notification.
The compromised information varies by individual but potentially includes:
- Customer names and contact information
- Dates of birth
- Credit card information
- Driver’s license details
- Information related to workers’ compensation claims
More concerning, Hertz warned that “a very small number of individuals” may have had their Social Security numbers, government identification numbers, passport information, Medicare or Medicaid IDs associated with workers’ compensation claims, or injury-related information from vehicle accident claims exposed in the breach.
While the total number of affected customers has not been disclosed by Hertz, regulatory filings with Maine’s Attorney General’s Office indicate that at least 3,409 residents of that state alone are receiving breach notifications.
Notifications have also been filed in California and Vermont, though these states do not report specific numbers of affected individuals.
In response to the breach, Hertz is offering impacted customers two years of free identity monitoring services.
The company has advised customers to remain vigilant for potential fraud, though it claims it has “not detected any misuse of personal information for fraudulent purposes” thus far.
Clop ransomware gang has previously leaked Hertz’s data on their extortion site.
The Hertz breach is part of a broader series of attacks by the Clop ransomware gang, which exploited zero-day vulnerabilities in Cleo’s file transfer platforms-including Cleo Harmony, VLTrader, and LexiCom, beginning in October 2024.
Clop has claimed responsibility for stealing data from 66 companies in this campaign. Other confirmed or suspected victims include Western Alliance Bank, WK Kellogg Co, and Sam’s Club.
Cybersecurity researchers tracking the group note that Clop has evolved its tactics since emerging in 2019.
Initially focused on encrypting victims’ systems with ransomware, the group has since 2020 pivoted primarily to data theft attacks targeting previously unknown vulnerabilities in secure file transfer platforms.
The stolen data is then used as leverage to extort companies for millions of dollars to prevent public leaks.
