Skip to content
Supply chainResolved

Leak at Hertz

On 15 April 2025, car-rental company Hertz disclosed a data breach stemming from the late-2024 zero-day exploitation of Cleo's file-transfer software by the CL0P group, exposing customer names, contact details, dates of birth, driver's licences, credit-card and passport data.

Victim
Hertz

On 15 April 2025, Hertz — the global car-rental company, which also operates the Dollar and Thrifty brands — confirmed a data breach affecting an undisclosed number of customers. The incident did not result from a direct intrusion into Hertz's own systems but from a supply-chain compromise at one of its vendors, Cleo Communications.

The breach traces back to the CL0P ransomware group's mass exploitation of zero-day vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo's managed file-transfer products — Harmony, VLTrader and LexiCom. Attackers accessed Hertz data through this platform in October and December 2024. Hertz confirmed the unauthorised access on 10 February 2025 and completed its data analysis around 2 April 2025 before notifying affected individuals.

Data exposed varied by customer but could include:

  • Names and contact details
  • Dates of birth
  • Driver's licence information
  • Credit-card information
  • Passport details
  • For a smaller subset: Social Security numbers, other government IDs and workers' compensation claim information

Hertz declined to give a total figure but said it would be "inaccurate to say millions" were affected; regulatory filings confirmed at least 3,400 customers in the US state of Maine. The company reported the incident to law enforcement and regulators, said it had found no evidence of fraudulent misuse, and offered free identity-monitoring services to higher-risk individuals.

Sources

  1. next.inkhttps://next.ink/brief_article/hertz-sest-fait-derober-des-donnees-clients-permis-passeports-cartes-de-credit/
  2. malwarebytes.comhttps://www.malwarebytes.com/blog/news/2025/04/hertz-data-breach-caused-by-cl0p-ransomware-attack-on-vendor
  3. infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/hertz-data-breach-exposes-customer/
  4. computerweekly.comhttps://www.computerweekly.com/news/366622655/Hertz-warns-UK-customers-of-Cleo-linked-data-breach

Related incidents

Supply chainContained

Data leak at Suzuki

Suzuki France disclosed that a cyberattack on one of its third-party partner systems exposed a customer file containing names, email addresses, postal addresses and phone numbers; no financial data or passwords were affected.

Victim
Suzuki
Supply chainContained

Leak at Air France

In August 2025, Air France-KLM disclosed that attackers accessed customer data — names, contact details, Flying Blue loyalty numbers and status, and customer-service request subjects — via a compromised third-party customer-service platform.

Victim
Air France