Hertz confirms data breach tied to Cleo exploit, customers’ personal data stolen

Car rental giant latest victim of Clop ransomware attack exploiting Cleo file transfer software

Four months after the Clop ransomware gang exploited a zero-day vulnerability in Cleo’s file transfer platform, Hertz has confirmed that customer data from its Hertz, Thrifty, and Dollar brands was stolen in the attack.

The breach occurred in October and December 2024 and adds to a wider wave of cyberattacks targeting organisations using Cleo’s managed file transfer solutions.

Hertz began notifying affected customers last week after completing its analysis of the incident on 2nd April.

While the car rental company holds that there is currently no evidence that any of the stolen personal information has been misused for fraudulent purposes, it admits that the compromised data may include names, contact details, dates of birth, driver’s licence numbers, credit card information and workers’ compensation claims details. For a smaller subset of individuals, even more sensitive data such as social security numbers, government ID numbers, passport information and US Medicare or Medicaid IDs may have been exposed.

In a Notice of Data Incident, Hertz stated, “A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event”.

Attack overview

The breach came from vulnerabilities tracked as CVE-2024-50623 and CVE-2024-55956, which allowed the Clop ransomware group to gain unauthorised access to Cleo’s file transfer systems. These vulnerabilities were believed to have been successfully patched in late October 2024. However, open-source intelligence (OSINT) research, as reported by Darktrace, surfaced in late November stating that the Clop ransomware group had managed to bypass this initial security measure, leading to the exploitation of the CVEs.

Since the Cleo attack was first reported, the Clop gang, which is believed to have Russian roots, has listed hundreds of organisations on its data leak site, with security experts warning that the number of impacted companies is likely to rise further.

Two years ago, the ransomware group claimed responsibility for an attack that affected a wide range of companies, including British Airways, Boots and the BBC.

Hertz’s disclosure adds it to a growing list of companies affected by the Cleo breach. Other confirmed victims include WK Kellogg, Chicago Public Schools, Western Alliance Bank and Champion Home Builders.

In response to the breach, Hertz is offering two years of complimentary identity monitoring services to affected customers and has reported the incident to law enforcement and regulatory authorities.

This article was amended to clarify that the breach occurred in October and December rather than between those months, as was originally stated.

Want to know more? Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.