Ouch—that really Hertz!
The car rental company suffered a data breach late last year, between October and December 2024, exposing the data of thousands of customers. That might be a conservative estimate, Ensar Seker, CISO at SOCRadar, told IT Brew, noting that the only confirmed number of affected customers is according to the Maine Attorney General’s (AG) office.
“They reported that at least 3,400 customers in Maine were impacted,” Ensar said. “Given the company’s global presence, the actual number is likely much higher.”
Taking the wheel. Hertz said in its filing to the Maine AG on Apr. 11 that the company’s “data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.” That tracks with reports from Sam’s Club, which reported an attack on Apr. 1, and the cereal manufacturer WK Kellogg, which reported a similar breach on Apr. 4, both of which occurred in late 2024.
According to reports, the information obtained may include names, payment information, and even Social Security numbers. Attacks on Cleo systems were effectuated by the ransomware group Clop, a notorious and allegedly Russia-aligned gang that has been linked to other Cleo breaches.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Driven to succeed. Cleo, an ecosystem integration software firm that operates a file transfer system, had a vulnerability that allowed for remote code execution. As the Center for Internet Security noted on Dec. 12 last year, “an attacker could then install programs; view, change, or delete data.” Ensar told IT Brew that is in large part due to the reality of the development team’s priorities.
“Most of the time, unfortunately, developer teams don’t have a security perspective or security background,” Seker said. “When they create something with vulnerabilities and holes, unfortunately, threat actors keep looking for those holes and vulnerabilities.”
For affected Hertz customers, Seker recommended a slew of security hygiene measures, including unique passwords for different services, doing financial monitoring, keeping abreast of developments in the data breach space, and enrolling in an identity protection service. Companies affected by Cleo aren’t off the hook either.
“It is crucial for companies to not only secure their own systems, but also ensure that their partners and vendors have the same high standards of protection and transparency with customers about how their data is handled,” he said. “Prompt communication in the event of breaches is essential in maintaining trust and economic accountability.”