Full Report
Car rental giant Hertz has been notifying state regulators of a data breach that occurred through third-party file sharing software. Tens of thousands of people are affected, but the company hasn't specified a total number.
Analysis Summary
# Incident Report: Hertz Data Theft via Cleo Exploitation
## Executive Summary
Car rental giant Hertz suffered a significant data breach after threat actors exploited zero-day vulnerabilities in their third-party file-sharing platform, Cleo, during late 2024. The confirmed impact includes the exfiltration of sensitive personal information, such as Social Security numbers, driver's licenses, and payment details, affecting tens of thousands of individuals nationally. Hertz responded by initiating forensic investigations, notifying regulators and victims starting in April 2025, and offering identity protection services.
## Incident Details
- **Discovery Date:** February 2025 (When Hertz discovered the exploitation)
- **Incident Date:** October 2024 and December 2024 (When the zero-day vulnerabilities were exploited)
- **Affected Organization:** The Hertz Corporation (including Dollar and Thrifty brands)
- **Sector:** Travel/Car Rental Services
- **Geography:** Nationwide (US); notifications sent to California, Iowa, Maine, Texas, Vermont, among others.
## Timeline of Events
### Initial Access
- **Date/Time:** October 2024 and December 2024
- **Vector:** Exploitation of a zero-day vulnerability in the third-party file-sharing software, Cleo.
- **Details:** Attackers targeted the Cleo platform utilized by Hertz "for limited purposes."
### Lateral Movement
- **Details:** The article indicates the forensic investigation revealed Hertz's network was "technically never affected by the incident," suggesting the compromise was contained within the compromised Cleo platform environment, where data was acquired by the unauthorized third party.
### Data Exfiltration/Impact
- **Details:** Sensitive data was acquired, including Social Security numbers, driver's licenses, payment card information, Medicare/Medicaid IDs, passports, and injury/worker's compensation claim details.
### Detection & Response
- **Discovery:** Hertz discovered the exploitation in February 2025 during the broader industry identification of Cleo vulnerability exploitation.
- **Response actions taken:** Reported the incident to law enforcement, commenced regulatory notifications starting the week prior to the article's publication, and began notifying victims via email and letter on April 11, offering two years of Kroll identity protection services.
## Attack Methodology
- **Initial Access:** Exploitation of a zero-day vulnerability in the Cleo file transfer platform software.
- **Persistence:** Not explicitly detailed, but likely persistence was established within the compromised Cleo instance.
- **Privilege Escalation:** Not detailed, but required to access sensitive data within the file-sharing environment.
- **Defense Evasion:** Not detailed, but exploited a software vulnerability unknown to the vendor (zero-day).
- **Credential Access:** Not detailed.
- **Discovery:** Collection focused on files accessible through the compromised file-sharing environment.
- **Lateral Movement:** Limited or contained to the file-sharing environment, as the core network was reportedly unaffected.
- **Collection:** Gathering contact info, financial data (payment cards), government IDs (SSNs, DLs, passports), and health/claim information.
- **Exfiltration:** Confirmed data was acquired by an unauthorized third party.
- **Impact:** Theft of PII and financial data.
## Impact Assessment
- **Financial:** Not disclosed, but costs associated with remediation, notification, and identity protection services (Kroll for two years) would be significant.
- **Data Breach:** Social Security Numbers, driver's license numbers, passports, payment card details, Medicare/Medicaid IDs, and worker’s compensation/injury claim information. The total national count is unknown but implied to be in the tens of thousands at a minimum (e.g., 96,665 Texas residents alone).
- **Operational:** The article does not indicate significant operational disruption to Hertz’s rental services, as the core network was reportedly unaffected.
- **Reputational:** Public notification required across several states, impacting the reputation of Hertz and its brands (Dollar, Thrifty). The incident is tied to the broader industry exploitation claimed by the Clop ransomware gang.
## Indicators of Compromise
- **Network indicators - defanged:** Based on the nature of third-party software exploitation, relevant IoCs would relate to traffic patterns targeting the specific Cleo instance communication channels. (No specific hashes or IPs provided in the source text).
- **File indicators:** Not provided.
- **Behavioral indicators:** Unauthorized data access and transfer initiated from the Cleo platform environment during October/December 2024.
## Response Actions
- **Containment measures:** Isolating or securing/disabling the compromised Cleo platform instance (implied).
- **Eradication steps:** Not detailed, but focused on removing the unauthorized access vector/logic planted due to the zero-day exploitation in Cleo.
- **Recovery actions:** Notifying affected parties, offering extended identity protection services via Kroll, and reporting to law enforcement.
## Lessons Learned
- **Key takeaways:** Reliance on third-party software, even for "limited purposes," introduces critical supply chain risk vulnerable to zero-day exploitation.
- **What could have been done better:** Accelerated patching or deployment of compensating controls immediately upon vendor notification or industry awareness, although the initial exploitation occurred before vendor patching was widely available.
## Recommendations
- **Prevention measures for similar incidents:** Implement stringent segmentation and least-privilege access controls around all third-party file transfer solutions. Mandate rapid deployment of patches for critical vulnerabilities impacting interconnected or data-handling software. Enhance monitoring specifically around data transfer volumes and activity originating from these critical tools.