(NEXSTAR) — An unknown number of Hertz customers may have had some of their personal data stolen in a data breach impacting one of its vendors, the company confirmed Tuesday.
The data, a Hertz spokesperson told Nexstar, “was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.”
A statement noted that Hertz the file transfer platform “for limited purposes.”
“Importantly, to date, our forensic investigation has found no evidence that Hertz’s own network was affected by this event,” the statement continued. “However, among many other companies affected by this event, we have confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.”
In a notice of data incident on Hertz’s website, the company said it learned its data had been impacted in early February and “immediately began analyzing the data to determine the scope of the event and to identify individuals whose personal information may have been impacted.”
Hertz said it did determine the personal information potentially exposed may include names, contact information, date of birth, credit card information, driver’s licenses, and information regarding workers’ compensation claims.
“A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event,” the notice read. Impacted customers are expected to be notified, if they haven’t been already.
The Hertz spokesperson did not disclose to Nexstar how many people may have had their information exposed. A company spokesperson told Mashable and TechCrunch that “it would be inaccurate to say millions of customers are affected.”
In a notice filed in Maine, Hertz said 3,409 customers in that state alone were affected. Another roughly 96,600 in Texas may have been impacted, TechCrunch reported. The site noted that Hertz customers in Australia, Canada, the European Union, New Zealand, and The United Kingdom were also alerted about the breach.
The rental car company said it was not aware of any misuse of the information accessed but is offering those impacted two years of identity monitoring or dark web monitoring services through Kroll. Potentially impacted individuals are encouraged to “remain vigilant” regarding their bank statements and credit reports.
Hertz said it had notified law enforcement of the incident and “confirmed that Cleo took steps to investigate the event and address the identified vulnerabilities.”
TechCrunch and Mashable reported that Cleo’s software was hacked by a ransomware group last year. Cleo had not responded to requests for comment as of Tuesday.
