← Back to Blog

Hertz Data Breach

April 20, 2025

1.0 Incident

A popular rental car company named Hertz experienced a cybersecurity breach late in 2024. One of their third-party resources called Cleo which is a file sharing tool caused a vulnerability in Hertz's system (Greig, 2025). The flaw created in Hertz's systems by Cleo resulted in the unauthorized access of sensitive documents containing information of customers. Some of this information included data such as credit card information, Social Security number, as well as passport and drivers license information (Reuters, 2025).

Although the attacks took place in late 2024 it was only reported months later leaving months in-between the breach and the notification of customers. It seems third party tools continue to be a substantial vulnerability for corporations. Many of my writings this semester has focused on the third party systems and the mistakes those companies have made.

2.0 Analysis

The Hertz data loss originated form third party file sharing software Cleo. The Cleo Communications vulnerability was classified as a zero-day vulnerability (Mascellino, 2025). A zero-day vulnerably is a issue in the software that has had zero days to be fixed and has managed to fly under the radar of security measures. The issue within the Cleo software allowed attackers to run commands on directories and gain access to systems to steal files with customers information. This information included financial and personally identifiable information. It is said these vulnerabilities were exploited by a ransomware group call Cl0p (Arghire, 2025). This ransomware group exploited more companies than just the Hertz rental car company however that is what this article will focus on. This group found the vulnerability and it allowed unauthorized access to files on anyone's devices who are uses the Cleo Communications software.

3.0 Assessment

This attack will have a large effect on the image of the Hertz rental car company and could cause clients to choose customers who have not had data breaches reported. These events will also have effects on the previous customers of the Hertz rental car company. Some of this data loss could lead to identity theft as well as potential financial loss. Unfortunately, the frequency of data breaches and the unknown factor of human error makes avoiding data breaches as a company very difficult (Zhang et al., 2022). This incident shows that corporations need to be very careful when choosing third party clients that will have elevated access to their systems. For the consumer however it is important to monitor your own data because in this day and age your are increasingly likely to have your sensitive data leaked by corporations you have trusted (Marcus, 2018). Hertz did announce they haven't noticed any evidence of the usage of this data by the ransomware group which likely means the rental car company decide to pay the ransom to save some face and retain customers after the attack although there's no way to ensure the group doesn't do what they please with the data.

4.0 Implications

The attack serves to point out the urgency for organizations to assess and keep third-party risk in check effectively. Relying on third-party access providers for essential services like data transport requires strict security controls and careful monitoring. In this era data has become so valuable that organizations now have targets on their back and leaves them at risk of hurting their reputation as well as hurting them financially (Cheng et al., 2017). For example in the case of the Hertz rental car company they spent money paying the ransom and will likely have to spend financial resources paying lawyers and paying customers who sue successfully. The security professionals have to reanalyze their risk evaluation models to integrate rigorous assessments of third party vendors security controls. In addition, the incident calls for stronger regulations and industry standards related to third-party cyber security to prevent such attacks from happening in the future.

5.0 Solutions

There are many steps that Hertz and similar companies can take to prevent incidents like this in the future. However, for individuals there has been identity theft protection provided for individuals affected by the Hertz data breach (Milden, 2025). Individuals should also consider doing this even if they haven't been a part of a large data breach. They can also use public resources to monitor the security of their accounts and identity. But businesses have to ensure they properly vet their third-party vendors before giving them higher permissions on their systems. They also need to keep a close eye on the activity of third-party resources in order to detect these attacks as soon as they occur to reduce the losses they endure. All in all, companies need to take steps to protect customer data to the best of their ability and individuals need to monitor activity on their accounts and identity to catch any incidents as soon as they happen.

6.0 References

Arghire, I. (2025, April 15). Hertz discloses data breach linked to Cleo hack. SecurityWeek. https://www.securityweek.com/hertz-discloses-data-breach-linked-to-cleo-hack/

Cheng, L., Liu, F., & Yao, D. D. (2017). Enterprise data breach: Causes, challenges, prevention, and future directions. Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, 7(5), e1211. https://doi.org/10.1002/widm.1211

Greig, J. (2025, April 16). More than 100,000 had information stolen from Hertz through Cleo file share tool. The Record. https://therecord.media/hertz-data-breach-notifications-cleo-vulnerability

Marcus, D. J. (2018). The data breach dilemma. Duke Law Journal, 68(3), 555-593. https://www.jstor.org/stable/48563659

Mascellino, A. (2025, April 16). Hertz data breach exposes customer information in Cleo zero-day attack. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/hertz-data-breach-exposes-customer/

Milden, D. (2025, April 17). If you were impacted by the Hertz data breach, here's what you need to do now. CNET. https://www.cnet.com/personal-finance/if-you-were-impacted-by-the-hertz-data-breach-heres-what-you-need-to-do-right-now/

Reuters. (2025, April 14). Hertz says hackers stole its customer data. Reuters. https://www.reuters.com/technology/cybersecurity/hertz-says-hackers-stole-its-customer-data-2025-04-14/

Zhang, X., Yadollahi, M. M., Dadkhah, S., Isah, H., Le, D.-P., & Ghorbani, A. A. (2022). Data breach: Analysis, countermeasures and challenges. International Journal of Information and Computer Security, 19(4), 402-442. https://doi.org/10.1504/IJICS.2022.127169