Hertz Data Breach Leaves Customer Info in the Fast Lane—But Not in a Good Way

Hertz is in the spotlight for all the wrong reasons after a major data breach exposed sensitive information belonging to thousands of its customers. The breach didn’t come straight through Hertz’s front door; instead, hackers slipped in via a third-party software vendor, Cleo, which handles file transfers for the rental car giant.

Between October and December 2024, attackers exploited a zero-day vulnerability in Cleo’s software, quietly snatching up personal data that Hertz had shared as part of its everyday operations. While Hertz’s own systems remained untouched, the breach still managed to put a wide range of information—names, birth dates, contact details, driver’s license numbers, and even Social Security numbers—up for grabs. Some unlucky customers also had their payment card details and workers’ comp claims caught in the digital crossfire.

In the U.S., official filings revealed that 3,457 Mainers and a whopping 96,665 Texans were affected, with the actual global tally likely much higher. Notifications have gone out to customers in Australia, Canada, the EU, New Zealand, and the U.K. as well. So if you rented a car from Hertz, Dollar, or Thrifty during that window, you might want to double-check your inbox—and possibly your credit report.

The cybercriminals behind the breach are believed to be the notorious Clop ransomware gang, a Russia-linked operation with a track record of targeting big organizations through their vendors. In 2024, Clop ran a mass-hacking campaign against multiple Cleo users, swiping data from over 60 companies, Hertz included. What’s almost impressive (if it weren’t so alarming) is that Hertz initially insisted there was "no evidence" of a breach—even after Clop bragged about it on their dark web leak site.

A Hertz spokesperson said the company takes privacy and security seriously, emphasizing that the breach was limited to Cleo’s platform and that their own network was not compromised. Still, they confirmed that unauthorized parties accessed Hertz’s data by exploiting Cleo’s vulnerabilities.

Why does this matter? Exposed data like driver’s license numbers and Social Security numbers can set the stage for identity theft, fraudulent account openings, and targeted phishing attacks. If you were a Hertz customer during the breach period, it’s time to get vigilant.

Here’s what you can do to protect yourself:

• Be alert for phishing scams: Attackers may use your data to craft convincing emails or calls. Don’t click suspicious links or share personal info with anyone who contacts you out of the blue.
• Use strong antivirus software: Defend your devices from malware that might sneak in through phishing attempts.
• Remove your data from public databases: Consider using a data removal service to limit your digital footprint.
• Sign up for identity theft protection: Services like these monitor your information and alert you to suspicious activity.
• Set up fraud alerts with credit bureaus: This makes it harder for criminals to open new accounts in your name.
• Regularly check your credit reports: Catch unauthorized activity early before it snowballs.
• Change your passwords: Use unique, strong passwords and a manager to keep track of them.
• Stay wary of social engineering: Never give out sensitive info to unverified callers or emailers, no matter how convincing they sound.

This breach is a textbook example of why companies can’t afford to take their partners’ cybersecurity for granted. Even when a big brand’s own network is secure, the digital supply chain can be riddled with vulnerabilities. The lesson for consumers? Trust but verify—and maybe don’t hand over your whole life story just to rent a car.