Full Report
Hertz has confirmed a data breach exposing customer data after a zero-day attack targeting file transfer software from Cleo Communications
Analysis Summary
# Incident Report: Hertz Data Breach via Cleo Zero-Day Exploit
## Executive Summary
Hertz Corporation suffered a significant data breach affecting its Hertz, Thrifty, and Dollar brands due to attackers exploiting a zero-day vulnerability in third-party file transfer software provided by Cleo Communications. The incident, occurring between October and December 2024, resulted in the exfiltration of extensive customer data, including financial details and government IDs. The Clop ransomware group is suspected of responsibility, which has prompted widespread breach notifications and required forensic investigation and remediation efforts across the affected entities.
## Incident Details
- **Discovery Date:** Not explicitly stated, but disclosure occurred on February 10, 2025.
- **Incident Date:** October and December 2024.
- **Affected Organization:** Hertz Corporation (affecting Hertz, Thrifty, and Dollar brands).
- **Sector:** Travel/Rental Services.
- **Geography:** Not explicitly stated, but notifications were reported in US states (e.g., Maine).
## Timeline of Events
### Initial Access
- **Date/Time:** Occurred across October and December 2024.
- **Vector:** Exploitation of an unpatched (zero-day) vulnerability in the Cleo file transfer software used by Hertz.
- **Details:** Attackers leveraged the zero-day flaw in the Cleo platform to gain initial unauthorized access.
### Lateral Movement
- **Details:** The article does not detail specific lateral movement techniques, but successful data exfiltration implies movement within the environment hosting the data managed by the Cleo platform.
### Data Exfiltration/Impact
- **Details:** Sensitive customer data was accessed and likely exfiltrated. Affected data included: Names, contact information, dates of birth, credit card details, driver’s license numbers, workers’ compensation claim data. In some cases, highly sensitive data like Social Security numbers, government-issued IDs, passport information, and injury records were accessed.
### Detection & Response
- **Details:** The breach was disclosed on February 10, 2025, suggesting detection occurred prior to this date. Hertz acknowledged the breach and Cleo subsequently patched the exploited vulnerabilities. Breach notifications were issued to affected residents (e.g., 3,409 Maine residents).
## Attack Methodology
- **Initial Access:** Zero-day exploitation of Cleo file transfer software.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed, presumed leveraging the inherent access granted by the zero-day in a critical business application.
- **Credential Access:** Not detailed, though access to driver's licenses and SSNs implies credential/identity data access.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering of personal and financial customer records.
- **Exfiltration:** Data theft resulting from successful compromise of the file transfer system.
- **Impact:** Exposure of PII, PHI (injury records), and financial data.
## Impact Assessment
- **Financial:** Not explicitly quantified, but significant costs associated with remediation, notification, and potential litigation are implied.
- **Data Breach:** Extensive exposure of PII, financial details (credit cards), driver's license numbers, DOBs, and highly sensitive data (SSNs, passport info, workers' comp/injury records).
- **Operational:** Disruption related to incident management and compliance obligations (e.g., issuing breach notifications).
- **Reputational:** Damage to the standing of Hertz, Thrifty, and Dollar brands due to the sensitive nature of the exposed data.
## Indicators of Compromise
- **Network indicators:** Details related to the specific exploitation traffic or C2 communications are not provided in the summary.
- **File indicators:** Not detailed.
- **Behavioral indicators:** Successful exploitation of a widely used business application (file transfer software) indicates targeting of known software vulnerabilities across the industry.
## Response Actions
- **Containment:** Implied actions involved securing the Cleo platform environment and likely isolating compromised systems.
- **Eradication steps:** Not detailed, beyond the fact that Cleo patched the vulnerabilities.
- **Recovery actions:** Issuing data breach notifications to affected individuals (e.g., Maine residents).
## Lessons Learned
- **Key takeaways:** Reliance on third-party software (like Cleo) can introduce significant systemic risk if zero-day vulnerabilities exist. Utilizing systems designed for sensitive data transfer (file transfer platforms) as a primary access point is a high-value target for attackers.
- **What could have been done better:** Proactive vulnerability management and segmentation of critical file transfer solutions from core customer databases, or greater scrutiny/segmentation of data flowing through partner applications.
## Recommendations
- **Prevention measures for similar incidents:** Immediate patching protocols must be established for critical third-party file transfer solutions. Implement stricter network segmentation between external-facing data/file transfer services and internal repositories containing PII/SSNs. Enhance monitoring specifically around the activity paths of data processed by software vendors like Cleo.