• Car rental giant Hertz confirms suffering a data breach
• The attack occurred through Cleo, a file transfer service provider
• The threat actors abused a zero-day to get in

Car rental giant Hertz has confirmed suffering cyberattack which saw it lose sensitive customer information.

In a data breach notification letter published on its website, the company said that the incident involved Cleo Communications, a software company that provided file transfer services for Hertz “for limited purposes”.

The report says an unidentified threat actor exploited a zero-day vulnerability in the Cleo platform to exfiltrate sensitive data in October and December 2024. The attack was spotted in mid-February 2025, prompting an investigation, with the analysis concluding some customer data was taken.

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

View Deal

Hallucinating malware

“We completed this data analysis on April 2, 2025, and concluded that the personal information involved in this event may include the following: name, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims,” the announcement reads.

“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event.”

The exact number of affected individuals is not known at this time, with a company spokesperson saying it would be, “inaccurate to say millions” of customers are affected.

The identity of the attackers, or the nature of the breach, is also unknown at this time. It most likely wasn’t a ransomware attack, since it took the company months to realize it was hacked. That being said, this was most likely a simple data smash-and-grab.

To mitigate the damages, Hertz is offering two years of identity monitoring and dark web monitoring services to potentially impacted individuals, through Kroll, at no cost.

At press time, there was no evidence that the stolen data was misused in any way.

Via TechCrunch

You might also like

• Cl0p resurgence drives ransomware attacks to new highs in 2025
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers