Other companies have been caught up in the vulnerability
Key takeaways:
- Hackers have stolen sensitive customer data from Hertz, including credit card details, driver's licenses and "a very small number" of Social Security numbers.
- Hertz has yet to disclose the number of data breach victims or stolen records.
- The Hertz data breach stems from vulnerabilities in the file-transfer app Cleo, which has exposed other companies.
A Hertz data breach hasexposed sensitive personal information of anundisclosed number of people.
The hacked information may include names, contact information, birth dates, credit card details, drivers license information and information related to workers compensation claims, Hertz said in a notice.
The car-rental company said "avery small number of individuals" may have had their Social Security numbers, passport information, Medicare or Medicaid ID associated with workers' compensation claims or injury information regarding a vehicle accident claim exposed.
Hackers exploited vulnerabilities in the file-transfer app Cleo to gain personal information stored by the car-rental company in October and December 2024, Hertz said.
No full disclosure yet
Hertz didn't disclose how many individuals or records were exposed in the data breach.
A filing with the Maine Attorney General, which requires some of the most detailed data breach reporting from companies, said the Hertz data breach affected3,409 Maine residents, but the filing hasn't been updated yetwith the total number of individuals affected in the U.S.
"Hertz also reported this event to law enforcement and is in the process of reporting the event to relevant regulators," Hertz said.
A Hertz spokesperson said to ConsumerAffairs that it was among companies caught up in the vulnerabilities of the file-transfer app Cleo, but "our forensic investigation has found no evidence that Hertz's own network was affected by this event."
The Cl0p ransomware group targeted the file-transfer app Cleo, which exposed Hertz and other companies,said Ensar Seker, chief information security officerat cybersecurity firm SOCRadar, in a statement.
This reinforces a painful truth: companies are only as secure as their most vulnerable vendor," he said.
"What makes this breach especially concerning is the type of data compromised, not just names and contact details, but drivers licenses, payment card information, Social Security numbers, and even workers compensation claims," Seker added. "This is prime identity theft material, and unfortunately, once its leaked, theres no putting the genie back in the bottle."
Hertz is offering 2-year identity theft monitoring from Kroll tovictims, who can sign up athufcuwxgqzil.kroll.com.
Sign up below for The Daily Consumer, our newsletter on the latest consumer news, including recalls, scams, lawsuits and more.
Posted: 2025-04-15 21:20:21
