Hertz says hackers stole customer credit card and driver’s license data

In a world increasingly reliant on digital infrastructure, cybersecurity breaches continue to pose significant risks for companies and their customers. The latest organization affected is Hertz, one of the world’s most recognized car rental giants. In early 2025, the company disclosed a serious data breach involving sensitive customer information—including credit card and Social Security numbers—triggered by a cyberattack on one of its third-party vendors. While Hertz has stated that there is no evidence of misuse at this time, the situation raises pressing concerns about data security practices, vendor vulnerabilities, and the growing threat of ransomware attacks.


The Breach: What Happened?
According to a public notice issued by Hertz on its website, the breach occurred between October and December 2024, targeting vulnerabilities in the Cleo Communications file transfer platform, a service widely used for secure data exchange among global enterprises. Hackers exploited zero-day vulnerabilities—previously unknown flaws in the system—to gain unauthorized access to Hertz's customer data through Cleo, a third-party vendor.

Hertz confirmed the breach on February 10, 2025, after a security investigation uncovered the unauthorized access. By April 2, further analysis revealed the extent of the damage, which included the exposure of:

Full names and contact information

Dates of birth

Credit card information

Driver’s license details

Workers' compensation-related data

Government-issued identifiers including passport and Social Security numbers

While Hertz emphasized that only "a very small number" of individuals had their Social Security numbers compromised, the sensitivity of the stolen information makes this a potentially high-impact event, especially if used for identity theft or financial fraud.

Vendor Vulnerability: The Cleo Communications Link
This breach is part of a larger trend of cyberattacks targeting software vendors rather than companies directly—a method that allows bad actors to infiltrate multiple organizations simultaneously. Cleo Communications was reportedly one of several targets in a mass-hacking campaign in late 2024. The Russia-affiliated Clop ransomware gang later claimed responsibility for those attacks, leaking sensitive Cleo data on its extortion website and listing 59 affected organizations.

This strategy—sometimes referred to as a “supply chain attack”—exposes a dangerous blind spot in cybersecurity. Many organizations, including Hertz, depend on third-party platforms for handling data securely. If one link in that chain is compromised, it can result in widespread data exposure across numerous companies.

Hertz’s Response and Ongoing Risks
Hertz says it has reported the incident to law enforcement and appropriate regulatory bodies in all relevant jurisdictions, including the United States, Canada, the European Union, the United Kingdom, and Australia. Additionally, Cleo has reportedly patched the identified vulnerabilities to prevent further exploitation.

Despite the breach, Hertz has assured the public that there is no current evidence of misuse of the stolen data. However, they have not disclosed how many customers were affected, leaving a cloud of uncertainty hanging over the incident.

Cybersecurity experts caution that the absence of immediate misuse does not guarantee safety. Stolen personal information—especially high-value data such as Social Security or passport numbers—can lie dormant on the dark web for months before being used or sold.

Key Takeaways and Lessons for the Future
Vendor Risk Management is Critical
Companies must evaluate the cybersecurity posture of every vendor they rely on, especially those handling sensitive customer information. Vendor security audits and contractual security obligations are no longer optional.

Zero-Day Vulnerabilities Are a Growing Threat
Exploits that take advantage of unknown software flaws are on the rise. Organizations need to implement proactive threat detection systems and maintain close communication with software providers to ensure patches are applied swiftly.

Transparency Matters
While Hertz has been commendably forthcoming in disclosing the breach and posting a public notice, the lack of clarity around how many customers were affected may hinder trust. Full disclosure helps users take protective measures sooner.

Consumer Vigilance is Essential
Even if no misuse has been detected, customers should take steps to protect themselves—such as monitoring their credit reports, placing fraud alerts, and changing any exposed credentials.

Conclusion
The Hertz data breach underscores the evolving complexity of cybersecurity in an interconnected digital ecosystem. As businesses increasingly rely on third-party platforms, the need for robust security measures—both internally and externally—becomes more urgent. This incident is a stark reminder that cybersecurity is not just a technical issue but a critical aspect of customer trust and corporate responsibility.

As investigations continue and more information surfaces, both companies and consumers alike must remain alert, proactive, and informed in the face of a growing cyber threat landscape.