Car rental giant Hertz has confirmed suffering cyberattack which saw it lose sensitive customer information.

In a data breach notification letter published on its website, the company said that the incident involved Cleo Communications, a software company that provided file transfer services for Hertz “for limited purposes”.

The report says an unidentified threat actor exploited a zero-day vulnerability in the Cleo platform to exfiltrate sensitive data in October and December 2024. The attack was spotted in mid-February 2025, prompting an investigation, with the analysis concluding some customer data was taken.

Hallucinating malware

“We completed this data analysis on April 2, 2025, and concluded that the personal information involved in this event may include the following: name, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims,” the announcement reads.

“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event.”

The exact number of affected individuals is not known at this time, with a company spokesperson saying it would be, “inaccurate to say millions” of customers are affected.

The identity of the attackers, or the nature of the breach, is also unknown at this time. It most likely wasn’t a ransomware attack, since it took the company months to realize it was hacked. That being said, this was most likely a simple data smash-and-grab.

To mitigate the damages, Hertz is offering two years of identity monitoring and dark web monitoring services to potentially impacted individuals, through Kroll, at no cost.

At press time, there was no evidence that the stolen data was misused in any way.

Via TechCrunch