Hertz Corporation has provided notice of a cyber event involving a file transfer platform, which may have impacted the personal information of certain individuals.

The car hire company named “Cleo Communications” as the provider of the file transfer platform, a vendor of Hertz, which it uses “for limited purposes.”

The filing said that on February 10th 2025, Hertz data was acquired by an unauthorised third party “that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.”

Analysis Completed

An analysis was completed on April 2nd, and concluded that the personal information involved in this event may include names, contact information, dates of birth, credit card information, driver’s license information and information related to workers’ compensation claims.

“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event.”

The company said that Cleo took steps to investigate the event and address the identified vulnerabilities, while Hertz reported the event to law enforcement and is in the process of reporting the event to relevant regulators.

“While Hertz is not aware of any misuse of personal information for fraudulent purposes in connection with the event, we encourage potentially impacted individuals, as a best practice, to remain vigilant to the possibility of fraud or errors by reviewing account statements and monitoring free credit reports for any unauthorised activity and reporting any such activity.”

Exposure Management

Andrew Lintell, general manager, EMEA at Claroty said that the nature of this breach, a vulnerability in software provider, Cleo, proves that exposure management is vital. “This requires granular visibility into all assets and prioritising the most at-risk areas,” he said.

“Exposure management weighs priorities based on multiple risk factors, and results in a drastically reduced and more focused to-do list for security teams. Prioritising vulnerabilities will enable organisations to manage risks quickly and efficiently, drastically improving defences against nation-state threats, ransomware, and cyber-criminals.”