More than 100,000 had information stolen from Hertz through Cleo file share tool

Avatar

Thousands of Social Security and driver’s license numbers were pilfered from car rental giant Hertz when hackers exploited a vulnerability in a popular file sharing tool last fall. 

Hertz, which owns its eponymous car rental company as well as top brands like Dollar and Thrifty, began reporting a data breach to state regulators in California, Iowa, Maine, Texas, Vermont last week. 

The company did not report the total number of people nationwide to regulators in Maine, which typically collects that information. A spokesperson to Hertz declined to say how many people were affected overall — only telling Recorded Future News that “it would be inaccurate to say millions of customers are affected.”

The notification to Texas said 96,665 residents of the state were affected, and the number of Maine residents was 3,409, meaning the nationwide number could be tens of thousands more.

The vulnerable software was the file sharing platform Cleo. In comments to Recorded Future News and breach notification letters to victims, Hertz explained that it uses Cleo “for limited purposes” but discovered in February that hackers exploited a zero-day vulnerability within the software in October 2024 and December 2024.

The information stolen includes contact information, payment card information, driver’s licenses and information related to worker’s compensation claims. Others had Social Security numbers, government IDs, passports, Medicare or Medicaid ID, or injury-related information associated with vehicle accident claims leaked through the hack. 

Hertz said it reported the incident to law enforcement and is providing victims with two years of identity protection services through Kroll. Hertz began notifying victims on April 11 through email, breach notification letters and notices on Hertz’ website.

A spokesperson for the company said a forensic investigation revealed that Hertz’s network was technically never affected by the incident. 

“However, among many other companies affected by this event, we have confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024,” the spokesperson said. 

Over the last two months, multiple companies have come forward to say they were impacted by the exploitation of the Cleo bug.. Two weeks ago, American food manufacturing giant WK Kellogg confirmed that hackers stole employee information through the same vulnerability. Last month, Phoenix-based Western Alliance Bank said the information of more than 20,000 people was stolen through their Cleo instance.

Hertz was one of hundreds of companies and organizations named by the Clop ransomware gang in October after the group claimed it was behind the exploitation of the Cleo vulnerability.  IT giant Hewlett Packard Enterprise and Thomson Reuters, whose Legal Tracker subsidiary was also named by Clop, both either confirmed limited breaches or said they are investigating the claims

CybercrimeNewsIndustry
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

New Windows Task Scheduler Bugs Let Attackers Bypass UAC and Tamper with Logs

Next Post

CISA extends CVE program contract with MITRE for 11 months amid alarm over potential lapse

Related Posts

Webinar: Learn How to Build a Reasonable and Legally Defensible Cybersecurity Program

It’s not enough to be secure. In today’s legal climate, you need to prove it. Whether you’re protecting a small company or managing compliance across a global enterprise, one thing is clear: cybersecurity can no longer be left to guesswork, vague frameworks, or best-effort intentions. Regulators and courts are now holding organizations accountable for how “reasonable” their security programs are
Avatar
Read More