Rental giant Hertz has begun notifying customers of data breaches, including personal information and driver’s licenses.
The rental company, which also owns the Dollar and Thrifty brand, said in a notice on its website that the violation was linked to one of the vendors’ cyberattacks between October 2024 and December 2024.
Stolen data varies from region to region, but mainly includes HERTZ customer name, date of birth, contact information, driver’s license, payment card information, and worker’s compensation claims. Hertz said a few customers photographed the Social Security numbers in violation, along with identification numbers issued by other governments.
Notices regarding Hertz’s website revealed violations against clients in Australia, Canada, the European Union, New Zealand and the UK.
Hertz also revealed violations with several US states, including California and Maine. Hertz said that at least 3,400 customers in Maine were affected but did not list the total number of affected individuals, which is likely to be significantly higher.
Hertz spokesman Emily Spencer said that TechCrunch will not provide a specific number of individuals affected by the violation, but that “it’s inaccurate to say millions of people.”
The company attributed the violation to the vendor, software manufacturer Cleo. This was at the heart of a massive hacking campaign by ransomware gangs related to Russia last year.
Hertz is one of dozens of companies that used Cleo’s software when data theft was stolen. The CLOP ransomware gang claimed last year it took advantage of a zero-day vulnerability in Cleo’s widely used enterprise file transfer product. By violating these systems, hackers stole data contacts from Cleo’s corporate customers.
Shortly afterwards, the Clop ransomware gang claimed at the Dark Web leak site that it had stolen data from nearly 60 companies by leveraging a bug in the CLEO system. In a later post, CLOP claimed dozens more corporate victims.
The Data Fear Tor Campaign has become one of the most notable mass hacks of 2024.
Hertz, named on the Clop site at the time, said there was “no evidence” that Hertz data or Hertz system had been affected.
On Monday, a Hertz spokesman confirmed to TechCrunch that although there was no evidence that Hertz’s own network was affected by the violation, Hertz data was obtained by unauthorized third parties who understand that they realized zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.
Cleo executives did not respond to TechCrunch investigations on Monday.