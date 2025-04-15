Car rental company Hertz has confirmed that customer data was stolen during a data breach, which also affected data from Thrifty and Dollar brands.

The data breach occurred after attacks that exploited zero-day vulnerabilities in the Cleo platform, as reported by BleepingComputer.

According to the data breach notification, Hertz Corporation discovered on February 10, 2025, that an unauthorized third party had accessed their data. This party is said to have exploited vulnerabilities in Cleo’s platform in October and December 2024. Hertz Corporation indicated that it had immediately started analyzing the data to determine the scope of the incident and to find out which individuals may have been affected.

Wide range of stolen data

The stolen data differs per person, but according to Hertz, it can include names, contact details, dates of birth, credit card information, driver’s license details and information relating to personal injury claims in the context of workers’ compensation.

The company also reported that in some cases, social security numbers or other government identifiers were stolen. According to Hertz, a few people may also have lost data, such as passport information, Medicare or Medicaid numbers (related to workers’ compensation), or injury information in vehicle accidents.

Although Hertz has not disclosed the total number of customers affected, the office of the attorney general in the US state of Maine reports that 3,409 people there have received a notification. Customers in California and Vermont have also been informed, but the number for those states has not been disclosed.

Free identity monitoring as compensation

Hertz is now offering affected customers two years of free identity monitoring. The company advises customers to be alert to possible fraud. Although there is no evidence so far that the personal information has actually been misused for fraudulent purposes, it has previously been revealed that the Clop ransomware group has published the stolen data on their extortion website.