Hertz Data Breach Exposes Customer Data and Drivers Licenses via Cleo Zero-Day

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Hertz Corporation disclosed on April 14, 2025 that customer data from its Hertz, Thrifty, and Dollar rental car brands was stolen following the exploitation of zero-day vulnerabilities in Cleo Communications file transfer software. The breach, which Hertz confirmed on February 10, 2025, exposed personal information including names, contact details, dates of birth, credit card information, and driver's license data.

The attack traces back to October and December 2024, when threat actors exploited previously unknown vulnerabilities in Cleo's Harmony, VLTrader, and LexiCom products. The Clop ransomware gang, a Russia-linked cybercriminal group, claimed responsibility for the mass exploitation campaign that affected dozens of organizations using Cleo software.

Hertz stated that the breach did not compromise its internal network, as the attack targeted a third-party vendor's file transfer platform. The company began notifying affected customers and regulatory authorities, including filing a notice with Maine's attorney general indicating that at least 3,409 Maine residents were impacted. The total number of affected individuals across all states remains undisclosed.

The incident represents another significant supply chain attack, where vulnerabilities in widely used enterprise software create cascading effects across multiple organizations. Hertz is offering affected customers two years of free identity monitoring services through Kroll.

The timeline of events spans several months:

October 2024: Threat actors began exploiting a zero-day vulnerability in Cleo's file transfer products. Security researchers later identified this as CVE-2024-50623, a remote code execution flaw.

December 2024: A second zero-day vulnerability, CVE-2024-55956, was exploited in Cleo software. The Clop ransomware gang conducted mass exploitation of both vulnerabilities across multiple organizations.

February 10, 2025: Hertz confirmed that data was acquired by an unauthorized third party exploiting the Cleo vulnerabilities, according to the company's official notice.

April 14, 2025: Hertz publicly disclosed the breach and began notifying affected customers. The company filed breach notifications with state attorneys general.

According to Hertz's official notice, the company "immediately began analyzing the data to identify individuals whose personal information may have been impacted" after confirming the breach in February.

Figure 2: How the authentication bypass vulnerability works

Hertz's official data incident notice states that the following categories of personal information were potentially exposed:

• Name and contact information
• Date of birth
• Credit card information
• Driver's license information

The notice further indicates that "a very small number of individuals" may have had Social Security numbers or government identification numbers exposed. Some customers may also have had passport information, Medicare or Medicaid IDs, or injury-related information from vehicle accident claims compromised.

According to BleepingComputer, the Clop ransomware gang listed Hertz on its data leak site in January 2025, claiming to have stolen data from the company. Clop has been linked to previous mass exploitation campaigns targeting file transfer software, including the MOVEit Transfer attacks in 2023.

Hertz emphasized in its notice that "there is no evidence that Hertz's own network was affected by this event." The company attributed the breach entirely to the third-party Cleo platform vulnerabilities.

For affected customers: Hertz is providing two years of complimentary identity monitoring and dark web monitoring services through Kroll. Customers can enroll using a unique code provided in their notification letters.

For the security industry: The incident reinforces the importance of supply chain security assessments and third-party vendor risk management. Organizations may use this case to justify increased investment in vendor security audits.

For regulatory compliance: The breach demonstrates functioning disclosure requirements, with Hertz filing notifications with state attorneys general as required by law.

Figure 3: Privilege escalation from user to SYSTEM level

Scope uncertainty: Hertz has not disclosed the total number of affected individuals. The Maine filing indicates 3,409 residents in that state alone, suggesting the total could be substantially higher given Hertz's national customer base.

Delayed disclosure: The breach was confirmed in February 2025 but not publicly disclosed until April 2025, a gap of approximately two months. During this period, affected customers were unaware their data had been compromised.

Third-party dependency: The incident illustrates the risks organizations face when relying on third-party software for sensitive data transfers. Hertz had limited visibility into or control over the Cleo vulnerabilities.

Ongoing threat actor activity: The Clop ransomware gang remains active and has demonstrated a pattern of targeting file transfer software. Organizations using similar products face continued risk.

Data sensitivity: Driver's license information is particularly valuable for identity theft, as it can be used to create fraudulent identification documents or pass identity verification checks.

Cleo's file transfer products, including Harmony, VLTrader, and LexiCom, are enterprise managed file transfer (MFT) solutions used by organizations to securely exchange data with partners, vendors, and customers. These platforms handle automated file transfers, often containing sensitive business and customer information.

The vulnerabilities exploited in this attack, CVE-2024-50623 and CVE-2024-55956, allowed attackers to execute arbitrary code on systems running vulnerable Cleo software. Remote code execution vulnerabilities are particularly severe because they enable attackers to take control of affected systems without requiring authentication or user interaction.

In a typical attack scenario, threat actors scan the internet for systems running vulnerable Cleo software, then send specially crafted requests that exploit the vulnerability. Once code execution is achieved, attackers can access files stored on or passing through the file transfer platform, exfiltrate data, and potentially move laterally within connected networks.

Technical context (optional): Managed file transfer platforms often operate at network boundaries, receiving files from external partners and routing them to internal systems. This positioning makes them attractive targets, as compromising an MFT platform can provide access to data from multiple sources without requiring direct network intrusion.

The Hertz breach is part of a broader pattern of attacks targeting file transfer software. The Clop ransomware gang previously exploited vulnerabilities in Accellion FTA (2020-2021), GoAnywhere MFT (2023), and MOVEit Transfer (2023), each time compromising dozens or hundreds of organizations through a single software vulnerability.

This pattern demonstrates that file transfer platforms represent a high-value target category. Organizations across industries, including financial services, healthcare, government, and retail, rely on these platforms for sensitive data exchange. A single vulnerability can create cascading effects across the software's entire customer base.

The incident also raises questions about the security practices of enterprise software vendors. Cleo's products are marketed for secure file transfer, yet two zero-day vulnerabilities were exploited within months of each other. Organizations evaluating file transfer solutions may scrutinize vendor security practices more closely.

For the rental car industry specifically, the breach exposes the volume of sensitive data these companies collect and retain. Driver's license information is required for vehicle rentals, creating large repositories of identity documents that become attractive targets.

Confirmed:

• Hertz data was accessed through Cleo software vulnerabilities
• The breach was confirmed by Hertz on February 10, 2025
• Personal information including names, contact details, dates of birth, credit card data, and driver's license information was exposed
• At least 3,409 Maine residents were affected
• Hertz, Thrifty, and Dollar brand customers are impacted
• Hertz's internal network was not compromised
• The Clop ransomware gang claimed responsibility

Unclear:

• Total number of affected customers across all states
• Specific dates when Hertz customer data was accessed
• Whether any exposed data has been misused
• Full extent of data types compromised for each individual
• Whether Hertz has paid any ransom or engaged with the threat actors

State attorney general filings: Additional breach notifications in other states will provide a clearer picture of the total number of affected individuals.

Clop data leak site activity: The ransomware gang may publish stolen data if ransom demands are not met, which would confirm the scope and nature of compromised information.

Cleo security updates: Additional vulnerabilities in Cleo products, if discovered, could indicate broader security issues with the platform.

Regulatory response: State attorneys general or federal regulators may investigate the breach, particularly regarding the disclosure timeline and data protection practices.

Class action litigation: Data breach lawsuits often follow incidents of this scale, particularly when driver's license and credit card information is exposed.

1. TechCrunch, "Hertz says customers' personal data and drivers' licenses stolen in data breach," April 14, 2025. https://techcrunch.com/2025/04/14/hertz-says-customers-personal-data-and-drivers-licenses-stolen-in-data-breach/

2. BleepingComputer, "Hertz confirms customer info, drivers' licenses stolen in data breach," April 14, 2025. https://www.bleepingcomputer.com/news/security/hertz-confirms-customer-info-drivers-licenses-stolen-in-data-breach/

3. Hertz Corporation, "Notice of Data Incident - United States," April 2025. https://www.hertz.com/content/dam/hertz/global/resources/Notice_of_Data_Incident-United_States.pdf