%20(1).webp?w=1600&resize=1600,900&ssl=1)
The Hertz Corporation, representing its Hertz, Dollar, and Thrifty brands, has disclosed a significant data breach involving Cleo Communications US, LLC (“Cleo”), a third-party vendor providing file transfer services.
The breach, confirmed on February 10, 2025, resulted from the exploitation of zero-day vulnerabilities in Cleo’s platform during October and December 2024, leading to the unauthorized acquisition of Hertz data by a third party.
Technical Details: Zero-Day Exploits and Data Compromise
A zero-day vulnerability refers to a previously unknown security flaw in software that is exploited before the vendor becomes aware and can issue a patch.
In this incident, attackers leveraged such vulnerabilities in Cleo’s file transfer platform, bypassing existing security controls and gaining unauthorized access to sensitive data.
The breach was not detected until months after the initial compromise, highlighting the challenges organizations face in defending against zero-day attacks.
Scope of Exposed Information
Following a comprehensive data analysis completed on April 2, 2025, Hertz determined that the compromised data may include:
- Name
- Contact information
- Date of birth
- Credit card information
- Driver’s license details
- Workers’ compensation claim information
A limited subset of individuals may have had even more sensitive data exposed, such as Social Security numbers, government identification numbers, passport information, Medicare or Medicaid IDs (linked to workers’ compensation claims), and injury-related information from vehicle accident claims1.
Response and Mitigation Measures
Upon confirmation of the breach, Hertz and Cleo initiated a thorough investigation and remediation process.
Cleo addressed the identified vulnerabilities, and Hertz notified law enforcement and relevant regulatory authorities.
As a precaution, Hertz has engaged Kroll to provide two years of complimentary identity monitoring or dark web monitoring services to potentially affected individuals.
Recommendations for Affected Individuals
Hertz advises all potentially impacted customers to remain vigilant against identity theft and fraud.
Recommended actions include:
- Regularly reviewing account statements and free credit reports for unauthorized activity.
- Placing a fraud alert on credit files, which requires businesses to verify identity before extending new credit.
- An initial fraud alert lasts one year, while an extended alert for identity theft victims lasts seven years.
- A credit freeze (security freeze), restricts access to credit reports without explicit authorization, thereby preventing new credit accounts from being opened in the individual’s name.
- This process is free under federal law but may delay legitimate credit applications.
To request a credit freeze, individuals must provide:
- Full name (including suffixes)
- Social Security number
- Date of birth
- Addresses from the past two to five years
- Proof of current address (e.g., utility bill)
- Government-issued ID copy
- Police or investigative report if identity theft is involved
Contact information for the three major credit bureaus:
| Bureau | Fraud Alert Address | Credit Freeze Address | Website | Phone |
|---|---|---|---|---|
| Equifax | P.O. Box 105069, Atlanta, GA 30348-5069 | P.O. Box 105788, Atlanta, GA 30348-5788 | equifax.com/personal/credit-report-services/ | 1-888-298-0045 |
| Experian | P.O. Box 9554, Allen, TX 75013 | P.O. Box 9554, Allen, TX 75013 | experian.com/help/ | 1-888-397-3742 |
| TransUnion | P.O. Box 2000, Chester, PA 19016 | P.O. Box 160, Woodlyn, PA 19094 | transunion.com/credit-help | 1-800-916-8800 |
Legal Rights and Additional Resources
Under the Fair Credit Reporting Act (FCRA), individuals have the right to:
- Obtain a free credit report annually from each major bureau
- Dispute inaccurate or incomplete information
- Place fraud alerts or credit freezes at no cost
- Seek damages for violations
Victims of identity theft are encouraged to file police reports and notify the Federal Trade Commission (FTC) and their state Attorney General.
The FTC provides resources and complaint filing at www.consumer.gov/idtheft or 1-877-IDTHEFT (438-4338)1.
While Hertz has not detected any fraudulent use of the compromised data, the company urges all affected individuals to take proactive steps to safeguard their personal information.
The incident underscores the persistent threat posed by zero-day vulnerabilities and the importance of robust vendor risk management and rapid incident response.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Data Breach at Legends International Exposes Customer Information")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical AnythingLLM Vulnerability Enables Remote Code Execution")
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The%20breach,%20resulted%20from%20the%20exploitation%20of%20zero-day%20vulnerabilities%20in%20Cleo%E2%80%99s%20platform%20during%20October%20and%20December%202024){kind=link}