Hertz acknowledges data privacy breach due to vulnerabilities in Cleo's file-transfer system
The car rental giant, Hertz Corporation, has recently disclosed a data breach that affected its UK customers, as well as those of its associated brands Dollar and Thrifty. The breach, which was traced back to vulnerabilities in the Cleo file-transfer software, occurred in late 2024 and was part of a wider attack spree orchestrated by the Clop ransomware group.
### Details of the Breach
The breach involved the exploitation of a series of zero-day vulnerabilities in Cleo managed file transfer products. These vulnerabilities allowed unauthorized access to customer data stored or transferred through the Cleo platform used by Hertz. The breach was disclosed by Hertz in early 2025, with investigations ongoing as of April 2025.
### Affected Companies
Besides Hertz Corporation and its rental car brands Dollar and Thrifty, the breach is part of broader investigations involving Cleo Communications and other companies potentially impacted by related incidents. It is not yet clear whether other companies were directly affected by the same attack.
### Timeline
The Cleo zero-day exploits were used to attack Hertz systems in late 2024. Public disclosure and investigation began by April 2025, with law firms and cybersecurity teams actively involved in investigating the breach in April and May 2025. Follow-up actions and warnings were issued around April 2025, including notifications to UK customers.
### Impact
The breach has affected more than 3,400 Maine residents, according to reports. Clop, the ransomware group responsible for the attack spree, listed dozens of companies on its leak site in connection with the incident. However, it is not immediately clear whether Clop made any type of ransom demands against Hertz.
### Background
Clop is considered one of the most prolific threat groups in history, having been behind another massive attack spree in 2023 in connection with vulnerabilities in MOVE-it file-transfer software. The Hertz data breach underscores the risks associated with vulnerabilities in third-party file-transfer software like Cleo.
Hertz has reported the incident to law enforcement and is in the process of notifying relevant regulatory authorities. The company is working diligently to address the issue and protect its customers' data. As the investigation continues, more details about the breach and its impact are expected to be released.
- The cybersecurity community is underscoring the risks associated with vulnerabilities in third-party file-transfer software, such as Cleo, after the Hertz Corporation's data breach disclosure in early 2025.
- The timeline for the Hertz breach reveals that it occurred in late 2024, with public disclosure and investigation following in April 2025, and law firms and cybersecurity teams actively involved in investigating the breach during April and May 2025.
- The impact of the Hertz breach includes the exposure of customer data from over 3,400 Maine residents, as well as the Clop ransomware group listing dozens of companies in connection with the incident on their leak site, although it remains unclear whether Clop made any ransom demands against Hertz.
