Car rental giant Hertz Corporation has confirmed a data breach stemming from the Cleo managed file sharing platform’s zero-day vulnerabilities that have affected nearly 100 organizations.
Tracked as CVE-2024-50623 and CVE-2024-55956, the zero-day vulnerabilities stem from Cleo’s Harmony, VLTrader, and LexiCom managed file transfer platforms.
Estero, Florida-based Hertz Corporation operates Hertz, Dollar, and Thrifty car rental businesses with additional operations throughout North and South America, Europe, Africa, the Middle and Far East, and the Asia-Pacific region.
“On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024,” the company stated.
Hertz responded by analyzing the exposed data to identify impacted individuals and the scope of the incident.
Hertz confirms Cleo file sharing data breach leaked sensitive information
On April 2, 2025, Hertz completed the analysis and determined that the data breach leaked personal information that varied by individual.
Details leaked included the name, contact information, date of birth, credit card information, driver’s license information, and workers’ compensation claims data.
The file sharing data breach also leaked the victims’ Social Security Numbers or other government-issued IDs, passport information, Medicare or Medicaid IDs associated with workers’ compensation claims, or injury-related information associated with vehicle accidents linked to claims data also affected by the data breach.
Meanwhile, Hertz assured the public that the file sharing system developer has identified and addressed the exploited flaws, and reported the data breach to relevant law enforcement and will soon notify relevant regulators.
Additionally, data breach victims will receive two years of identity theft protection from Kroll, “out of an abundance of caution,” to protect them from fraud.
However, victims should also monitor their accounts and credit reports for suspicious activity and respond promptly by notifying relevant authorities should they detect any anomalies.
So far, Hertz claims it has found no evidence on underground hacking forums that the threat actor has misused the stolen information.
“While Hertz is not aware of any misuse of your personal information for fraudulent purposes, we encourage you, as a best practice, to remain vigilant to the possibility of fraud or errors by reviewing your account statements and monitoring free credit reports for any unauthorized activity and reporting any such activity,” the company stated.
So far, the number of impacted victims remains unreported, but at least 3,409 Hertz customers in Maine were affected by the Cleo managed file sharing application data breach.
“The data breach impacting Hertz and its associated brands is a textbook example of how third-party vulnerabilities can cascade into massive data exposure, even for well-established enterprises,” lamented Ensar Seker, CISO at SOCRadar. “Hertz may not have been directly compromised, but its vendor relationships introduced risk vectors that weren’t fully mitigated,” he added. “This is a growing pattern across the ransomware landscape, where attackers target software supply chains to scale their reach and impact.”
Multiple companies impacted by the Cleo data breach
Meanwhile, the Clop ransomware gang has taken responsibility for the Cleo data breach and leaked Hertz’s data on its data leak site. The ransomware gang lists over 66 companies it claims were impacted by the Cleo data breach.
In April 2025, U.S. food giant WK Kellogg confirmed it was among the dozens of companies impacted by the Cleo data breach. Western Alliance Bank and Sam’s Club are also investigating potential data breaches stemming from the Cleo managed file sharing appliance exploitation.
Undoubtedly, the Clop ransomware gang has frequently demonstrated its unmatched capabilities in compromising third-party-managed file sharing systems, having previously targeted Accellion File Transfer Appliance (FTA), GoAnywhere Managed File Transfer (MFT), and Progress Software’s MoveIT secure file transfer.
“This breach highlights the necessity for increased proactive vendor due diligence, enhanced threat intelligence sharing, and stronger regulatory pressure on third-party software providers to comply with contemporary security standards,” concluded Seker.
