.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
Know Your Breach: Hertz
Apr 17, 2025 1:53:33 PM
The Target: Car rental giant Hertz
The Take: The stolen data varies by region, but largely includes Hertz customer names, dates of birth, contact information, driver’s licenses, payment card information, and workers’ compensation claims. Hertz said a smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers.
The Vector: The company attributed the breach to a vendor, software maker Cleo, which last year was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang. Hertz is one of dozens of companies that used Cleo’s software at the time of their data thefts. The Clop ransomware gang claimed last year to have exploited a zero-day vulnerability in Cleo’s widely used enterprise file transfer products, which allow companies to share large sets of sensitive data over the internet. By breaching these systems, the hackers stole reams of data from Cleo’s corporate customers.
This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.
