More than 100,000 had information stolen from Hertz through Cleo file share tool

Thousands of Social Security and driver’s license numbers were pilfered from car rental giant Hertz when hackers exploited a vulnerability in a popular file sharing tool last fall. 

Hertz, which owns its eponymous car rental company as well as top brands like Dollar and Thrifty, began reporting a data breach to state regulators in California, Iowa, Maine, Texas, Vermont last week. 

The company did not report the total number of people nationwide to regulators in Maine, which typically collects that information. A spokesperson to Hertz declined to say how many people were affected overall — only telling Recorded Future News that “it would be inaccurate to say millions of customers are affected.”

The notification to Texas said 96,665 residents of the state were affected, and the number of Maine residents was 3,409, meaning the nationwide number could be tens of thousands more.

The vulnerable software was the file sharing platform Cleo. In comments to Recorded Future News and breach notification letters to victims, Hertz explained that it uses Cleo “for limited purposes” but discovered in February that hackers exploited a zero-day vulnerability within the software in October 2024 and December 2024.

The information stolen includes contact information, payment card information, driver’s licenses and information related to worker’s compensation claims. Others had Social Security numbers, government IDs, passports, Medicare or Medicaid ID, or injury-related information associated with vehicle accident claims leaked through the hack. 

Hertz said it reported the incident to law enforcement and is providing victims with two years of identity protection services through Kroll. Hertz began notifying victims on April 11 through email, breach notification letters and notices on the company website.

A spokesperson for the company said a forensic investigation revealed that Hertz’s network was technically never affected by the incident. 

“However, among many other companies affected by this event, we have confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo's platform in October 2024 and December 2024,” the spokesperson said. 

Over the last two months, multiple companies have come forward to say they were impacted by the exploitation of the Cleo bug.. Two weeks ago, American food manufacturing giant WK Kellogg confirmed that hackers stole employee information through the same vulnerability. Last month, Phoenix-based Western Alliance Bank said the information of more than 20,000 people was stolen through their Cleo instance.

Hertz was one of hundreds of companies and organizations named by the Clop ransomware gang in October after the group claimed it was behind the exploitation of the Cleo vulnerability.  IT giant Hewlett Packard Enterprise and Thomson Reuters, whose Legal Tracker subsidiary was also named by Clop, both either confirmed limited breaches or said they are investigating the claims