Pierluigi Paganini April 15, 2025

Hertz Corporation disclosed a data breach after customer data was stolen via Cleo zero-day exploits in late 2024, affecting Hertz, Thrifty, and Dollar brands.

Car rental giant Hertz Corporation disclosed a data breach that impacted its Hertz, Thrifty, and Dollar brands. Threat actors gained access to customer data via Cleo zero-day exploits in late 2024.

“Cleo is a vendor that provides a file transfer platform used by Hertz for limited purposes. On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.” reads the data breach notification published by the company. “Hertz immediately began analyzing the data to determine the scope of the event and to identify individuals whose personal information may have been impacted.”

According to data breach notification shared with the Maine’s Attorney General’s Office, 3,409 Maine residents were affected. The notifications were also sent to California and Vermont, though both states don’t disclose the number of affected individuals.

In January 2025, the Clop ransomware group added 59 new companies to its leak site, the gang claimed to have breached them by exploiting a vulnerability ​​in Cleo file transfer products. 

In December 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2024-50623 (CVSS score 8.8), which impacts multiple Cleo products to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability affects the following products LexiCom before version 5.8.0.21, Harmony prior to version 5.8.0.21, and VLTrader prior to version 5.8.0.21.

On December 9, reports of active exploitation targeting Cleo file transfer software began circulating among cybersecurity community. Security firm Huntress publicly disclosed ongoing exploitation involving three different Cleo products. Huntress researchers created a proof of concept and learned the patch does not mitigate the software flaw. The experts warned that fully patched systems running 5.8.0.21 are still exploitable.

The Clop ransomware group claimed to have contacted the breached organizations, but they ignored ransom negotiations, so the gang threatens to publish stolen data on January 18, 2025.

In January, a spokesperson for U.S. car rental giant Hertz told TechCrunch that it is “aware” of Clop’s claims, but added there is “no evidence that Hertz data or Hertz systems have been impacted at this time.”

Hertz confirmed on April 2, 2025, that a breach exposed customer data, including names, contacts, DOB, credit card, driver’s license information and information related to workers’ compensation claims.

A small number of people may have had their SSNs, government IDs, passport info, medical IDs, or injury-related claim data exposed in the breach.

Hertz confirmed Cleo addressed the breach, notified law enforcement and regulators, and offers 2 years of free Kroll identity monitoring. The company hasn’t detected any misuse of the exposed data but advises affected individuals to stay vigilant, monitor accounts and credit reports, and report any suspicious activity.

Clop group already targeted enterprise file transfer software in the past, a large-scale hacking campaign exploited vulnerabilities in MOVEit Transfer and GoAnywhere.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)