Car rental giant Hertz has been hit by a cyber attack that has compromised user data including customer’s full drivers licenses.
The company confirmed that data was accessed by an unauthorised third party between October and December 2025 who exploited zero day vulnerabilities in the partner Cleo platform
As well as drivers licenses the stolen data includes names, contact information, dates of birth, credit card information and information related to workers' compensation claims. For a smaller number of cases it also includes social security numbers, passport information, medicare and government ID numbers.
Zero Day Attack To Blame
Cl0p targeted Cleo, a third party vendor used by Hertz with a Zero day attack.
Cl0p is a Russian-speaking ransomware gang that uses a ransomware-as-a-service (RaaS) model of attack where malicious actors rent their malware for a share of the profits.
Zero day vulnerabilities are software flaws that are unknown to the vendor (in this case, Cleo) and for which no patch or fix exists at the time of exploitation. The term "zero-day" refers to the fact that the vendor has had zero days to address the vulnerability.
Because these vulnerabilities are unknown, Cl0p was able to leverage them to gain unauthorized access to Cleo's systems before Cleo or the wider security community was even aware of the weaknesses.
The criminal group specifically exploited vulnerabilities CVE-2024-50623, an unrestricted file upload and download vulnerability and CVE-2024-55956 which allows unauthenticated command execution.
Earlier this month the criminal gang exploited the same flaws in Kellog's defences, pointing towards a potentially ongoing coordinated and widespread campaign targeting vulnerabilities in the Cleo file transfer software.
Personal Data Breached
Following confirmation of the data breach Hertz liaised with Cleo to address vulnerabilities and reported the issue to law enforcement.
The company has partnered with Kroll to provide both identity monitoring and dark web monitoring to potentially impacted individuals, free of charge.
If you suspect that you've been targeted it is important to take immediate and decisive action.
Disconnect any systems suspected of being compromised from the network. This includes cutting off wired and wireless connection
Change passwords for all accounts, especially administrative and service accounts, from a clean, uncompromised device. Implement multi factor authentication wherever possible.
Comments ( 0 )