Hertz Global Holdings has formally confirmed a significant data breach that compromised personal information—including driver’s license numbers and financial details—of its customers across the Hertz, Thrifty, and Dollar rental brands. The intrusion stemmed from the exploitation of zero-day vulnerabilities in a third-party secure file transfer platform developed by Cleo, a provider of B2B integration solutions.
This incident is part of a broader supply chain attack campaign attributed to the Clop ransomware gang, which has impacted dozens of enterprises globally, and reflects a growing trend of data extortion attacks without encryption.
🔍 Technical Overview of the Breach
🛠️ Attack Vector: Cleo Platform Exploitation
- Platform involved: Cleo Harmony, VLTrader, and LexiCom
- Initial breach period: Between October and December 2024
- Vulnerability type: Zero-day in managed file transfer (MFT) software
- Discovery date: Hertz became aware of the breach on February 10, 2025
Cleo’s solutions are widely used in automated, large-scale data exchanges, especially in logistics, finance, and enterprise IT ecosystems—making them an attractive target for attackers aiming to harvest sensitive PII and operational data at scale.
📋 Data Compromised
The stolen data, according to Hertz and official disclosures (including a breach notice filed in Maine), includes:
- Full names
- Email addresses and phone numbers
- Physical mailing addresses
- Dates of birth
- Driver’s license numbers
- Credit card information
- Employment and insurance-related data (e.g., workers’ compensation claims, accident records)
- In some cases:
- Social Security Numbers (SSNs)
- Passport numbers
- Medicare or Medicaid identifiers
This constitutes a high-risk breach, involving multiple forms of personally identifiable information (PII) and regulated health/identity data.
🧠 Clop Ransomware Group: From Encryption to Pure Extortion
The threat actor behind the attack, the Clop ransomware gang, is known for pivoting away from traditional encryption-based ransomware to data theft and extortion.
📌 Recent Clop Victims Include:
- Western Alliance Bank
- WK Kellogg Co
- Sam’s Club
- Hertz Global Holdings
Clop’s model now focuses on exploiting enterprise-grade software vulnerabilities, extracting data silently, and threatening public exposure via “leak sites” if ransom demands are unmet.
Notably, some of Hertz’s stolen data has already been posted on Clop’s dark web extortion portal.
🛡️ Hertz’s Response and Customer Notification
- Engaged third-party forensic and legal experts.
- Reported the incident to law enforcement and regulatory bodies.
- Sent breach notifications to affected individuals, including over 3,400 in Maine alone.
- Offered two years of free identity protection through Kroll, including:
- Credit monitoring
- Fraud consultation
- Identity theft recovery services
At this time, Hertz reports no confirmed misuse of the compromised data.
🧪 Real-World Impact Scenarios
📨 Example 1: Phishing with Valid PII
An attacker could send a highly personalized phishing email to a Hertz customer that references:
“Your recent rental accident claim #8743 from Thrifty – please verify updated ID and license info.”
This increases click rates and the success of credential theft or malware delivery.
📋 Example 2: Identity Fraud
Stolen license numbers, SSNs, and full profiles can be used to:
- Open fraudulent bank accounts
- Apply for loans or credit cards
- File false tax returns or unemployment claims
🔐 Lessons for the Cybersecurity Community
🔗 1. Supply Chain Risks Are Amplifying
This incident underscores the critical need for continuous third-party risk assessment, especially for file transfer and integration platforms that handle sensitive datasets.
✅ Action: Conduct penetration testing or red teaming focused on MFT and B2B gateways.
🔎 2. Attackers No Longer Need Encryption to Win
Modern extortion groups like Clop have proven that stealing and leaking data is just as damaging, particularly when brand trust, customer loyalty, and legal compliance are at stake.
✅ Action: Treat data exfiltration alerts as critical as ransomware encryption events.
🧰 3. MFT Tools = Unseen Infrastructure Risk
Tools like Cleo, MOVEit, and GoAnywhere often operate outside traditional EDR visibility, but are core data arteries.
✅ Action: Include these platforms in continuous monitoring and vulnerability scanning.
The Hertz breach is a case study in supply chain exploitation, stealthy lateral access, and the changing economics of cybercrime. It highlights the growing importance of visibility across third-party software stacks, particularly platforms used for automated high-volume data exchanges.
Security leaders must evolve from solely perimeter-based strategies to an ecosystem-wide resilience model, where every integration point is monitored, governed, and risk-evaluated.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
