The Hertz Cleo Data Breach: A Comprehensive Overview Introduction

In February 2025, Hertz Corporation, the parent company of Hertz, Dollar, and Thrifty car rental brands, disclosed a significant data breach that compromised sensitive customer information. The breach was linked to vulnerabilities in the file transfer platform provided by Cleo Communications, a third-party vendor used by Hertz for limited data-sharing purposes. This incident, attributed to the notorious Clop ransomware group, has highlighted the risks associated with third-party software and the importance of robust cybersecurity measures. This report details the scale of the breach, the types of information compromised, how the breach occurred, and Hertz’s response, drawing on information from multiple authoritative sources.

Scale of the Breach

The exact number of individuals affected by the Hertz Cleo breach remains undisclosed, as Hertz has not provided a nationwide total. However, state-specific notifications offer some insight into the scope:

• Texas: 96,665 residents were affected, as reported to the Texas Attorney General’s office (Recorded Future News).

• Maine: 3,409 residents received notifications, according to the Maine Attorney General’s office (SecurityWeek).

• Nationwide Estimate: Based on these figures, the total number of affected individuals is likely in the tens of thousands.

  
  

The company has clarified that claims of “millions” affected are inaccurate, suggesting the breach’s scope is significant but not in the millions (TechCrunch). No specific count of compromised credit cards has been publicly disclosed, though credit card information was among the exposed data.

Table: Estimated Number of Affected Individuals by State

Types of Information Compromised

The breach exposed a wide range of sensitive personal and financial information, putting affected individuals at risk of identity theft, financial fraud, and other cybercrimes. The compromised data includes:

• Basic Personal Information: Customer names, contact information (e.g., email addresses, phone numbers), and dates of birth.

• Financial Information: Credit card details, though the exact number of affected cards is not specified.

• Identification Documents: Driver’s license numbers, government-issued IDs, passport information, and Medicare or Medicaid IDs.

• Sensitive Records: In some cases, Social Security numbers, injury-related records from vehicle accident claims, and workers’ compensation claims information.

This broad spectrum of data was accessed in varying degrees across affected individuals, with some experiencing exposure of highly sensitive information like Social Security numbers and passports (Infosecurity Magazine).

How the Breach Occurred

The Hertz Cleo breach was the result of hackers exploiting two zero-day vulnerabilities in Cleo’s file transfer platform, specifically:

• CVE-2024-50623

• CVE-2024-55956

These vulnerabilities, present in Cleo’s Harmony, VLTrader, and LexiCom managed file transfer platforms, allowed unauthorized access to data stored on the platform. The attacks occurred in two phases:

• October 2024: Initial exploitation of the vulnerabilities.

• December 2024: A second wave of attacks further compromised data.

The Clop ransomware group, a Russia-linked cybercrime syndicate known for high-profile attacks like the MOVEit campaign, claimed responsibility for the breach. Clop exploited these vulnerabilities to access and steal data from Hertz and other organizations using Cleo’s software. Notably, Hertz’s own network was not directly compromised; the breach occurred through Cleo’s platform, which Hertz used for limited file-sharing purposes (SecurityWeek).

The Clop group has a history of leveraging zero-day exploits in file transfer software to conduct mass-hacking campaigns. In this case, they claimed to have stolen data from nearly 60 companies by exploiting Cleo’s vulnerabilities, with Hertz being one of the affected organizations (TechCrunch).

Hertz’s Response

Hertz took several steps to address the breach upon its discovery on February 10, 2025:

• Data Analysis: The company conducted a thorough analysis of the exposed data, completing this process by April 2, 2025, to identify affected individuals and the scope of the breach.

• Victim Notification: Starting April 11, 2025, Hertz began notifying affected customers through email, letters, and website notices. Notifications were also filed with state Attorney General’s offices in California, Iowa, Maine, Texas, and Vermont.

• Identity Protection Services: Hertz is offering two years of free identity protection and credit monitoring services through Kroll to help mitigate risks of identity theft and fraud.

• Law Enforcement Engagement: The incident was reported to law enforcement for further investigation.

Hertz has emphasized that there is no evidence its own network was affected, reinforcing that the breach was a result of vulnerabilities in Cleo’s platform (Cybersecurity Dive).

Broader Implications

The Hertz Cleo breach is part of a larger series of cyberattacks exploiting the same Cleo vulnerabilities, affecting nearly 100 organizations worldwide. Other notable victims include:

• WK Kellogg: Employee information was stolen through the same Cleo vulnerabilities.

• Western Alliance Bank: Over 20,000 individuals were affected by a similar breach.

These incidents highlight the systemic risks associated with managed file transfer platforms, which are widely used for sharing sensitive data across organizations. The Clop group’s ability to exploit zero-day vulnerabilities underscores the challenges of securing third-party software and the need for proactive vulnerability management (CPO Magazine).

Conclusion

The Hertz Cleo breach of 2024–2025 serves as a stark reminder of the vulnerabilities inherent in third-party software and the devastating consequences of zero-day exploits. With tens of thousands of customers potentially affected and sensitive data like credit card details and Social Security numbers exposed, the incident has significant implications for both Hertz and its customers. Hertz’s response, including notifications and identity protection services, aims to mitigate the damage, but the breach underscores the need for enhanced cybersecurity practices, particularly in vendor relationships. As cyber threats continue to evolve, organizations must prioritize patching vulnerabilities, monitoring third-party platforms, and safeguarding customer data to prevent similar incidents in the future.

By David Heath

David Heath's IBM Blog

David Heath's LinkedIn Blog

Listen to a podcast about this article on