Hertz Data Breach Exposes Customer Information Via Third-Party Vendor

Car rental service Hertz has revealed a notable data breach that jeopardized the personal information of several customers, as announced by the company this week.

On Monday, April 14, TechCrunch reported the release of a Notice of Data Incident on Hertz’s website. Per the notice, the breach was linked to a third-party vendor, Cleo, and may have compromised sensitive customer information such as names, contact information, birth dates, credit card numbers, driver’s license details, and information associated with workers’ compensation claims.

Moreover, the notice indicated that a smaller group of individuals might have had even more sensitive data compromised, including Social Security numbers, government-issued identification, passport information, Medicare or Medicaid details, and medical records pertaining to auto accident claims.

Hertz stated that it detected the breach on February 10, 2025, but the unauthorized access to customer data took place months prior, specifically in October and December of 2024.

While the company has not revealed the exact number of individuals affected, a version of the notice submitted to the Office of the Maine Attorney General suggested that 3,409 residents of Maine were impacted. Given that similar notifications were dispatched to customers across other regions—including Australia, Canada, New Zealand, and the United Kingdom—the actual number of affected individuals is likely significantly higher.

A spokesperson for Hertz refrained from providing a specific number but remarked, “It would be misleading to suggest millions of customers are affected.”

The breach was traced back to Cleo, a vendor offering file-sharing services to Hertz. According to the notice, attackers took advantage of zero-day vulnerabilities in Cleo’s platform to secure unauthorized access to Hertz’s data. Cybersecurity firm Huntress had previously noted active exploitation of Cleo’s software during the same timeframe, and the ransomware group Clop subsequently claimed responsibility for attacks directed at Cleo’s servers.

In spite of the breach, Hertz indicated it has not found any proof that the compromised information has been utilized for fraudulent activities. However, the company encouraged customers to remain vigilant for indications of identity theft or unusual activity. It also offered advice on how to monitor financial accounts and credit reports, including steps to establish fraud alerts or credit freezes.

To assist affected customers, Hertz is providing two years of free identity monitoring services.

UPDATE: Apr. 15, 2025, 5:30 p.m. EDT — This article has been revised with further comments from a Hertz representative.