Car rental giant Hertz has begun notifying its customers of a data breach that included their personal information and driver’s licenses.
The rental company, which also owns the Dollar and Thrifty brands, said in notices on its website that the breach relates to a cyberattack on one of its vendors between October 2024 and December 2024.
The stolen data varies by region, but largely includes Hertz customer names, dates of birth, contact information, driver’s licenses, payment card information, and workers’ compensation claims. Hertz said a smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers.
Notices on Hertz’s websites disclosed the breach to customers in Australia, Canada, the European Union, New Zealand, the United Kingdom.
Hertz also disclosed the breach with several U.S. states, including California and Maine. Hertz said at least 3,400 customers in Maine were affected, but did not list the total number of affected individuals, which is likely to be significantly higher.
Emily Spencer, a spokesperson for Hertz, would not provide TechCrunch with a specific number of individuals affected by the breach but said it would be “inaccurate to say millions” of customers are affected.
The company attributed the breach to a vendor, Cleo Software, which last year was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang.
Hertz is one of dozens of companies that used Cleo Software at the time of their data thefts. The Clop ransomware gang claimed last year to have exploited a zero-day vulnerability in Cleo’s widely used enterprise file transfer products, which allow companies to share large sets of sensitive data over the internet. By breaching these systems, the hackers stole reams of data from Cleo’s corporate customers.
Soon after, the Clop ransomware gang claimed on its dark web leak site that it stole data from close to 60 companies by exploiting the bug in their Cleo systems. In a later post, Clop claimed dozens more alleged corporate victims.
The data extortion campaign became one of the most notable mass-hacks of 2024.
At the time, Hertz, which was named on Clop’s site, said it had “no evidence” that Hertz data or Hertz systems were affected.
On Monday, Hertz’s spokesperson told TechCrunch it found no evidence that Hertz’s own network was affected by the breach, but confirmed that Hertz data “was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.”
A Cleo executive did not respond to TechCrunch’s inquiry on Monday.
