Car rental giant Hertz has disclosed a significant data breach affecting customers across multiple countries, including the UK, EU, Australia, New Zealand, Canada, and the United States. The breach, which occurred between October and December 2024, was the result of a cyberattack on a third-party vendor, Cleo Communications US, LLC.​

‎

The compromised data varies by region but largely includes customers’ names, dates of birth, contact information, driver’s license numbers, payment card information, and details related to workers’ compensation claims. A smaller subset of customers also had their Social Security numbers and other government-issued identification numbers exposed.​

‎

Hertz, which also operates the Dollar and Thrifty brands, has begun notifying affected customers and has reported the breach to relevant authorities, including state attorneys general in the U.S. While the total number of affected individuals has not been disclosed, at least 3,400 customers in Maine have been identified as impacted.​

‎

The company has attributed the breach to vulnerabilities in Cleo’s file transfer platform, which were exploited by a ransomware group known as Clop. This group has previously claimed responsibility for a series of cyberattacks targeting companies using Cleo’s software.​

‎

Hertz has stated that there is no evidence its own systems were directly compromised. However, the incident underscores the risks associated with third-party vendors and the importance of robust cybersecurity measures.​

‎

To assist affected customers, Hertz is offering two years of complimentary identity monitoring and dark web surveillance services through Kroll. Customers are advised to remain vigilant, monitor their financial accounts, and report any suspicious activity.​ This breach serves as a stark reminder of the growing threat of cyberattacks and the need for companies to ensure the security of their data, both internally and through their partnerships.​