Hertz

Summary

Hertz, which operates the Hertz, Dollar, and Thrifty rental car brands, suffered a data breach between October and December 2024 through a cyber attack on its vendor Cleo's file transfer platform. The Clop ransomware gang exploited zero-day vulnerabilities in Cleo's software, compromising Australian customer data including names, contact information, dates of birth, driver licence information, payment card details, and a small number of passports.

What Happened

Between October and December 2024, the Russia-linked Clop ransomware gang exploited zero-day vulnerabilities in Cleo's enterprise file transfer platform, which Hertz used for limited operational purposes. On 10 February 2025, Hertz confirmed that unauthorised third parties had acquired company data through this exploit. Hertz was initially listed on Clop's darknet leak site on 24 December 2024, with the stolen data published on 24 January 2025 alongside data from other Australian companies including Ampol, Linfox, and Steel Blue. Hertz completed its data analysis on 2 April 2025.

Impact on Individuals

Australian customers of Hertz, Dollar, and Thrifty rental car services had personal information compromised, including names, contact information, dates of birth, driver licence information, and payment card details. A very small number of Australian individuals also had their passport information impacted. The breach affected customers across multiple countries including Australia, Canada, the European Union, New Zealand, and the United Kingdom.

Organisational Response

Hertz disclosed the breach to affected customers in Australia and other countries in April 2025 after completing its data analysis. The company attributed the breach to vulnerabilities in vendor Cleo's file transfer platform and confirmed the incident was part of a mass-hacking campaign by Clop targeting Cleo's enterprise file transfer products.