Car rental corporation Hertz Global Holdings has confirmed unauthorised access to customer information across its Hertz, Dollar, and Thrifty brands, following cyberattacks targeting vulnerabilities in software provided by an external vendor.
The breach occurred between October and December 2024 through exploits in Cleo Communications’ file-transfer systems, which are used by organisations to share sensitive data. Compromised details vary by region but include names, dates of birth, contact information, driver’s licence numbers, payment card data, and in limited cases, Social Security numbers or government-issued identification documents.
Notifications have been issued to customers in Australia, Canada, European Union member states, New Zealand, the United Kingdom, and multiple U.S. regions including Maine, where at least 3,400 individuals were impacted. While the global scale remains undisclosed, spokesperson Emily Spencer clarified it would be “inaccurate to say millions” are affected.
The breach traces to the Clop ransomware group, which exploited previously unknown security flaws in Cleo’s software to access corporate data. This follows a pattern of attacks by the Russia-linked collective, which claimed responsibility for stealing information from nearly 60 companies through the same vulnerabilities.
Hertz initially stated it found “no evidence” of compromised systems when named on Clop’s dark web leak site last year but later confirmed customer data was exfiltrated via Cleo’s platform.
Affected individuals are being offered identity monitoring services through cybersecurity firm Kroll, alongside guidance to scrutinise financial statements and credit reports. The company maintains its internal networks remained secure, attributing the incident solely to third-party software weaknesses. Cleo Communications has since patched the vulnerabilities, according to recent updates.
Regional websites for Hertz now display breach notifications with jurisdiction-specific advice, including dedicated support lines for customers in Australia and the UK.