Car rental giant Hertz says that customers’ personal data and driver’s licenses have been stolen in a data breach, due to one of its vendors.

As discussed in TechCrunch, the rental company, which also owns the Dollar and Thrifty brands, said in notices on its website that the breach relates to a cyberattack on one of its vendors, software maker Cleo, which last year was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang between October 2024 and December 2024.

Notices on Hertz’s websites disclosed the breach to customers in Australia, Canada, the European Union, New Zealand, and the United Kingdom. 

Hertz also disclosed the breach with several U.S. states, including California, Maine, and Texas. Hertz said at least 3,400 customers in Maine were affected, and some 96,665 customers in Texas, but neither listed the total number of affected individuals, which is likely to be significantly higher.

Hertz is one of dozens of companies that used Cleo’s software at the time of their data thefts. The Clop ransomware gang claimed last year to have exploited a zero-day vulnerability in Cleo’s widely used enterprise file transfer products, which allow companies to share large sets of sensitive data over the internet. By breaching these systems, the hackers stole reams of data from Cleo’s corporate customers.

Soon after, the Clop ransomware gang claimed on its dark web leak site that it stole data from close to 60 companies by exploiting the bug in their Cleo systems. In a later post, Clop claimed dozens more alleged corporate victims.

The data extortion campaign became one of the most notable mass-hacks of 2024.

At the time, Hertz, which was named on Clop’s site, said it had “no evidence” that Hertz data or Hertz systems were affected.

Now that Hertz says that customers’ personal data has been stolen, it’s a different story. But it’s the same old story in terms of yet another vulnerability within a software vendor that leads to a data breach for several companies. That hertz! (sorry, I couldn’t resist)

So, what do you think? Are you concerned about the data breach at Hertz? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.