Hertz Hit by Data Breach

Summary

Hertz confirmed a data breach stemming from vulnerabilities in its vendor Cleo’s file-transfer software. Customer data, including driver’s licenses and credit card information, was stolen. Hertz is offering two years of identity monitoring services to those affected.

Dont let data threats slow you downTrueNAS offers enterprise-level protection.

** Main Story**

Hey there, let’s talk about the recent Hertz data breach – a real eye-opener when it comes to third-party risks. You know Hertz, right? The car rental giant with Dollar and Thrifty under its umbrella. Well, they got hit, and it wasn’t pretty. Turns out, some zero-day vulnerabilities in file-transfer software from a vendor named Cleo were the gateway. The result? Sensitive customer data – driver’s licenses, credit card info, Social Security numbers in some cases – all up for grabs. And it really highlights how much we rely on third-party vendors these days, which can, unfortunately, open us up to some serious vulnerabilities.

How Did It Happen?

The breach actually happened between October and December of 2024, but it wasn’t caught until February 10, 2025. Can you imagine? The Clop ransomware group – those guys are relentless – exploited a couple of zero-day vulnerabilities, CVE-2024-50623 and CVE-2024-55956, in Cleo’s software. These vulnerabilities allowed them to siphon off data from a bunch of organizations, Hertz being one of the unlucky ones. Now, they are still figuring out how bad the full extent of the breach is, but initial reports hint that potentially over 100,000 people could be affected. Notifications are already out to customers across different states and countries.

What kind of Data?

The data compromised depends on the individual, but typically, it could include:

• Name
• Contact information
• Date of birth
• Credit card details
• Driver’s license numbers
• Workers’ compensation claim information

And, unfortunately for some, a smaller group of individuals might have had their Social Security numbers, government IDs, passport info, Medicare/Medicaid IDs, or even medical records related to vehicle accident claims compromised. Horrifying, isn’t it?

Hertz’s Response – Is It Enough?

Hertz is saying that their internal systems weren’t directly affected; the breach originated from Cleo, they are saying. That said, they’re acknowledging the seriousness of the situation and are taking steps to try and clean up the mess. For example:

• They’re offering affected customers two years of free identity monitoring services through Kroll. Is that enough though?
• They’re urging customers to keep a close watch on their financial accounts and credit reports for anything fishy.
• Hertz is also saying they’re cooperating with law enforcement and regulatory bodies. Hopefully, that gets somewhere.
• Cleo has supposedly patched those vulnerabilities, though I’m sure people will be checking that.

It’s like that time my friend’s company outsourced their customer service to a cheaper vendor, and within months, customer satisfaction plummeted. A seemingly good cost-saving move turned into a PR nightmare. It really does teach us to look a little closer at who we trust.

Third-Party Risk – A Growing Problem

This incident is a glaring reminder of why third-party risk management is so crucial. Companies rely on outside vendors for practically everything these days, which means more potential weak spots in your security. If a vendor gets breached, it can create a domino effect throughout the supply chain, impacting tons of businesses and potentially millions of people. And it highlights why its so important to have well reviewed policy in place.

So, what should businesses be doing to protect themselves? I have a few thoughts:

• First, do your homework before partnering with any vendor. I mean, really dig into their security practices.
• Make sure you have ironclad security requirements and service-level agreements in place. Spell everything out clearly.
• Regularly check your vendor’s security. Don’t just assume they’re doing what they promised.
• Have incident response plans that specifically address third-party breaches. What’s the plan if things go south?
• Keep the lines of communication open with your vendors regarding security. Talk to each other!

Final Thoughts

Ultimately, the Hertz data breach is a wake-up call. Cybersecurity isn’t just your problem; it’s a shared responsibility. We need to be proactive about managing third-party risks to safeguard our own data and the sensitive information our customers trust us with. As of today, April 22, 2025, investigations are still ongoing, and the full fallout from this breach might not be clear for some time. So, stay vigilant out there. It’s the only way to stay ahead of these constantly evolving cyber threats.