Full Report
The car rental giant attributed the breach to Cleo, whose customers had data stolen by a ransomware gang in 2024.
Analysis Summary
# Incident Report: Hertz Vendor Breach Exfiltrates Customer PII and Driver's Licenses
## Executive Summary
Car rental company Hertz suffered a data breach impacting customer personal information and driver's licenses due to a cyberattack targeting one of its third-party vendors, Cleo Software, between October and December 2024. The incident resulted in the exfiltration of sensitive PII, including driver's licenses and, for a smaller subset of customers, Social Security numbers. Hertz began customer notification in April 2025, attributing the exposure to the known Clop ransomware gang exploiting a zero-day vulnerability in the vendor's file transfer products.
## Incident Details
- **Discovery Date:** Notifications began in April 2025 (based on disclosure dates).
- **Incident Date:** Occurred between October 2024 and December 2024.
- **Affected Organization:** Hertz (including Dollar and Thrifty brands).
- **Sector:** Travel/Car Rental Services.
- **Geography:** Global/Multiple US states (including California and Maine).
## Timeline of Events
### Initial Access
- **Date/Time:** Sometime between October 2024 and December 2024.
- **Vector:** Exploitation of a zero-day vulnerability in Cleo Software's enterprise file transfer products.
- **Details:** The attack originated at Hertz's vendor, Cleo Software, which was concurrently targeted by the Russia-linked Clop ransomware gang.
### Lateral Movement
- *Not explicitly detailed, but implied movement occurred within the vendor's environment to access Hertz-related data.*
### Data Exfiltration/Impact
- **Impact:** Theft of customer data, including names, dates of birth, contact information, driver’s licenses, payment card information, and workers’ compensation claims. Government IDs and SSNs were taken for a small number of customers.
### Detection & Response
- **How it was discovered:** The breach was identified, leading to mandatory notifications being issued to customers and regulators (e.g., California, Maine) starting in April 2025.
- **Response actions taken:** Hertz began notifying affected customers across various regions and US states.
## Attack Methodology
- **Initial Access:** Exploitation of a zero-day vulnerability in Cleo Software platform (a file transfer solution).
- **Persistence:** *Not detailed.*
- **Privilege Escalation:** *Not detailed.*
- **Defense Evasion:** *Relies on exploiting a software vulnerability to bypass typical perimeter defenses.*
- **Credential Access:** *Not detailed, though driver's license numbers were stolen, which can aid in future identity theft.*
- **Discovery:** *Not detailed.*
- **Lateral Movement:** *Implied movement within the vendor's systems to locate and collect Hertz client data.*
- **Collection:** Gathering of PII, payment card details, driver’s licenses, and SSNs.
- **Exfiltration:** Data was extracted from the compromised Cleo Software environment.
- **Impact:** Identity theft risk and unauthorized access to sensitive personal and financial data.
## Impact Assessment
- **Financial:** *Not disclosed.*
- **Data Breach:** Personal information, driver's licenses (government IDs), payment card information, date of birth, contact info, workers’ compensation claims, and SSNs (for a small number of customers). Over 3,400 notified in Maine alone.
- **Operational:** *Minimal direct operational impact on Hertz reported, focus remains on data exposure.*
- **Reputational:** Negative publicity following mandatory disclosures by Hertz.
## Indicators of Compromise
- **Network indicators:** *None provided (vendor-specific exploitation).*
- **File indicators:** *None provided.*
- **Behavioral indicators:** Successful exploitation of an enterprise file transfer product vulnerability.
## Response Actions
- **Containment measures:** *Not detailed, assumed focus was on securing the connection/data flow with the compromised vendor.*
- **Eradication steps:** *Not detailed, likely involved terminating the vendor relationship or patching the exploited software dependency.*
- **Recovery actions:** Notifying affected customers and regulatory bodies.
## Lessons Learned
- Reliance on third-party vendors that handle sensitive data poses a significant threat vector, especially when those vendors utilize insecure or vulnerable file transfer mechanisms.
- Zero-day vulnerabilities in widely used file transfer products (like those used by the Clop gang) can result in widespread, unpreventable breaches across numerous client organizations simultaneously.
## Recommendations
- Immediately conduct a thorough audit of all third-party vendors, prioritizing those with access to high-sensitivity data (PII, financial records).
- Require all critical vendors to adhere to strict security standards, including timely patching and robust monitoring of their perimeter gateways and file transfer systems.
- Accelerate the transition away from reliance on file transfer appliances vulnerable to zero-day exploitation.