Hertz announced a massive data breach that put the personal information of millions of its customers, including the numbers on their driver’s licenses, at risk. A spokesperson for Hertz confirmed to TechCrunch that there is no evidence suggesting that Hertz’s own network was directly impacted by the incident. Rather, the breach is very much tied to a cyberattack on Cleo Software, a vendor that offers enterprise file transfer services.
The Timing and Global Impact of the Breach
The breach took place during the same period—from October 2024 to December 2024. It affects customers in all of their markets, including Australia, Canada, the European Union, New Zealand and the United Kingdom. Hertz has indicated on its websites to provide notice to customers impacted by the breach. They provide recommendations for ways to protect those workers. The company has so far failed to disclose the total amount of people affected overall. It did affirm that at least 3,400 customers in Maine were harmed.
The stolen data varies by region but primarily includes customer names, dates of birth, contact information, driver’s licenses, payment card information, and workers’ compensation claims. A more limited group of customers indeed had their Social Security numbers and other government-issued ID numbers exposed in the breach.
Cleo Software’s Role in the Breach
Now Cleo Software finds itself on the receiving end of a widespread mass-hacking campaign. In this latest ransomware attack, we have the infamous Clop gang, a group associated with Russia. This group was the first to claim credit for a direct hack by using a zero-day vulnerability. It specifically targeted Cleo’s products, which facilitate fast, safe, and secure movement of data between organizations. Cleo Software cleo software breach It’s the most recent example of one of 2024’s largest data extortion campaigns. This event has changed the landscape for many manufacturers who depended on its services at the time.
Hertz has recently moved to inform multiple states, including California and Maine, of the breach. The company has since been scrambling to fix the fallout from this breach as it continues to assess the full breadth of the data that was stolen. As the investigation is still ongoing, it is uncertain how many other customers could be at risk.
What The Author Thinks
This breach underscores the critical vulnerabilities in the supply chain, as Hertz’s security was indirectly compromised through a third-party vendor. As companies rely on external partners for crucial services, they must prioritize cybersecurity across the entire network to prevent these types of attacks from affecting their customers. The fallout from such breaches can be severe, not just in terms of financial costs but also in the erosion of trust.
Featured image credit: enjosmith via Flickr
Follow us for more breaking news on DMR