- Car rental giant Hertz confirms it is a data violation
- The attack took place through CLEO, an provider of file transfer service
- The threat actors abused a zero-day to enter
The car rental giant Hertz has confirmed the suffering of cyberattack, which saw the losing sensitive customer information.
In a review of data violation published on its site, the company said the incident involved Cleo Communications, a software company that provided file transfer services to Hertz “for limited purposes”.
The report says an unidentified threat actor took advantage of a zero-day vulnerability in the CLEO platform to smooth out sensitive data in October and December 2024.
Hallucinating malware
“We completed this data analysis on April 2, 2025 and concluded that the personal information involved in this event may include the following: Name, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation requirements,” the message reads.
“A very small number of individuals may have had their social security or other state identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation requirements) or injury-related information associated with requirements for vehicle accidents affected by the event.”
The exact number of people affected is not known at this time when a company spokesman says it would be, “inaccurate to say that millions of customers are affected.
The identity or violation of the Annor norms is also unknown at this time. It was probably not a ransomware attack when it took the company months to realize it was hacked. That said, this was probably a simple data mash-and-grab.
To mitigate the injuries, Hertz offers two years of identity monitoring and dark web surveillance services to potentially affected individuals without a roll, at no cost.
At the time of the press, there was no evidence that the stolen data were abused in any way.
Via Techcrunch
