Potentially huge Hertz data breach sees customer personal info and driver licenses stolen

(Image credit: Shutterstock / Sashkin)

• Car rental giant Hertz confirms suffering a data breach
• The attack occurred through Cleo, a file transfer service provider
• The threat actors abused a zero-day to get in

Car rental giant Hertz has confirmed suffering cyberattack which saw it lose sensitive customer information.

In a data breach notification letter published on its website, the company said that the incident involved Cleo Communications, a software company that provided file transfer services for Hertz “for limited purposes”.

The report says an unidentified threat actor exploited a zero-day vulnerability in the Cleo platform to exfiltrate sensitive data in October and December 2024. The attack was spotted in mid-February 2025, prompting an investigation, with the analysis concluding some customer data was taken.

Hallucinating malware

“We completed this data analysis on April 2, 2025, and concluded that the personal information involved in this event may include the following: name, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims,” the announcement reads.

“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event.”

The exact number of affected individuals is not known at this time, with a company spokesperson saying it would be, “inaccurate to say millions” of customers are affected.

The identity of the attackers, or the nature of the breach, is also unknown at this time. It most likely wasn’t a ransomware attack, since it took the company months to realize it was hacked. That being said, this was most likely a simple data smash-and-grab.

To mitigate the damages, Hertz is offering two years of identity monitoring and dark web monitoring services to potentially impacted individuals, through Kroll, at no cost.

At press time, there was no evidence that the stolen data was misused in any way.

Via TechCrunch

You might also like

• Cl0p resurgence drives ransomware attacks to new highs in 2025
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.