Customer Data Breach at Hertz Linked to Vendor Vulnerability
A significant cybersecurity incident has befallen Hertz, a major car rental company, following the exposure of sensitive customer data due to a breach associated with one of its vendors, Cleo Communications US. The incident was revealed in an official notice on Hertz’s website, detailing that a zero-day vulnerability in Cleo’s platform was exploited late last year, enabling unauthorized individuals to access and extract customer information.
State government notifications confirm that the breach has impacted at least 100,000 customers. The compromised data includes personal details such as names, contact information, credit card numbers, and driver’s license identifiers. Additionally, Hertz disclosed that a select few individuals had their Social Security numbers, passport information, Medicaid or Medicare IDs, as well as records related to vehicle accident claims, exposed as part of the incident.
The company’s notice stated, "On February 10th, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024." Hertz immediately began analyzing the data to ascertain the extent of the breach and to identify which individuals may have been affected.
Although Hertz claims to use Cleo’s file transfer services for limited purposes, they have not yet disclosed the total number of affected customers. Following the breach, Hertz has taken steps to mitigate potential risks, with Cleo reportedly addressing the security deficiencies that led to the vulnerability. To further assist those affected, Hertz has issued letters to impacted customers and is offering complimentary identity monitoring services to individuals whose records were compromised.
Despite the apparent gravity of the situation, Hertz stated that it has not been made aware of any misuse of personal information for fraudulent activities stemming from this incident. They encourage all potentially impacted individuals to remain alert for signs of fraud or discrepancies by regularly reviewing account statements and monitoring credit reports for unauthorized activities.
From a tactical perspective, this incident aligns with several methods outlined in the MITRE ATT&CK framework. Techniques such as initial access through exploitation of a zero-day vulnerability, followed by potential exfiltration of sensitive data, are indicative of sophisticated adversary tactics. By exploiting known vulnerabilities and targeting third-party services, attackers can significantly compromise data integrity within organizations.
As the incident evolves, it highlights the necessity for business owners to continually assess their cybersecurity measures and vendor management practices. This breach serves as a reminder of the interconnectedness of systems and the potential vulnerabilities that can arise from third-party services.
Frequent system audits and robust vendor risk assessments are imperative for organizations looking to safeguard their sensitive data against similar incidents in the future. In today’s digital landscape, remaining vigilant against emerging threats is essential for protecting both customer and corporate information.
For continuous updates on cybersecurity vulnerabilities and breaches, follow us on our social media platforms and subscribe to our newsletter for timely alerts directly to your inbox.
