Car rental giant Hertz Corporation is notifying customers of the Hertz, Thrifty, and Dollar brands that their personal information was stolen as a result of the Cleo hack last year.
Two zero-day vulnerabilities in Cleo’s file transfer platform, tracked as CVE-2024-50623 and CVE-2024-55956, were exploited by the notorious Cl0p ransomware group in October and December 2024 to exfiltrate data from dozens of organizations.
Over the past several months, Cl0p added hundreds of organizations to its Tor-based leak site, most of which were likely affected by the Cleo incident, Comparitech consumer privacy advocate Paul Bischoff told SecurityWeek in March.
Last week, Hertz began notifying thousands of customers that their personal information was stolen from Cleo’s file transfer platform, which it was using “for limited purposes”.
According to the car rental firm, its analysis of the potentially compromised information, which was concluded in early April, determined that names, contact details, dates of birth, driver’s license numbers, workers’ compensation claims details, and credit card information was stolen in the attack.
For some individuals, Social Security numbers, government ID numbers, passport information, Medicare or Medicaid IDs, and injury-related information from accident claims might have been compromised as well.
The company is providing the potentially affected individuals with two years of free identity monitoring or dark web monitoring services.
“While Hertz is not aware of any misuse of your personal information for fraudulent purposes, we encourage you, as a best practice, to remain vigilant to the possibility of fraud or errors by reviewing your account statements and monitoring free credit reports for any unauthorized activity and reporting any such activity,” the company says in an incident notice (PDF).
The car rental giant has filed data breach notifications with the Attorney General’s Offices in several states, but did not share a total number of potentially impacted individuals. However, it told the Maine AGO that 3,409 state residents were affected.
“This vendor event involves Cleo, a file transfer platform used by Hertz for limited purposes. Importantly, to date, our forensic investigation has found no evidence that Hertz’s own network was affected by this event. However, among many other companies affected by this event, we have confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024,” a Hertz spokesperson told SecurityWeek.
Cl0p was also responsible for the MOVEit campaign, in which the group exploited a zero-day in the MOVEit file transfer software to steal information from thousands of organizations.
The Hertz Corporation operates the Hertz, Dollar, and Thrifty vehicle rental brands throughout North America, Europe, the Caribbean, Latin America, Africa, the Middle East, Asia, Australia, and New Zealand.
Related: Western Alliance Bank Discloses Data Breach Linked to Cleo Hack
Related: Check Point Responds to Hacking Claims
Related: Hacker Leaks Samsung Customer Data
Related:Chinese I-Soon Hackers Hit 7 Organizations in Operation FishMedley