Hertz Corporation has confirmed a security breach that has compromised personal data of customers of its Hertz brands, Thrifty and Dollar. The incident originated from zero-day vulnerabilities in the file transfer platform of its provider Cleo Communications, exploited by attackers in October and December 2024. The company detected the unauthorized access on 10 February 2025 and, since, has been investigating the extent of the event and notifying affected people.
The compromised data varies by individual, but they can include names, Contact Information, Dates of birth, Driver's license numbers, credit card details and data related to workers' compensation claims. In a small number of cases, Social Security numbers have also been affected, Passports and other government identifiers.
Hertz has assured that its own internal network was not compromised and that, to date, There is no evidence of fraudulent use of the stolen information. Nevertheless, The company has alerted relevant authorities and regulators and offered free identity monitoring services for two years to potentially affected customers, as a preventive measure.
This incident adds to a series of recent cyberattacks related to vulnerabilities in file transfer platforms, as in the case of WK Kellogg, who was also the victim of a similar attack. These events underscore the growing threat that cyberattacks pose to businesses and the importance of strengthening security measures on third-party systems.
Fountain: Bleeping Computer
Image: Enjosmith on Flickr