Hertz Confirms Data Breach After Clop Ransomware Attack Exposes Customer Info

Hertz customers have been hit with more than just hidden rental fees this year.

The car rental giant has confirmed a serious data breach, with hackers gaining access to sensitive customer information from its Hertz, Thrifty, and Dollar brands. The breach stems from zero-day vulnerabilities in Cleo’s file transfer software, exploited by the notorious Clop ransomware gang.

Attackers slipped in months before anyone noticed

The breach wasn’t just yesterday’s news. In fact, the actual infiltration happened months ago, in October and December of 2024. But it wasn’t until February 10, 2025, that Hertz confirmed what had really gone down.

At that point, the damage had already been done.

Hertz admitted that hackers used zero-day flaws in Cleo’s platforms—tools meant to securely transfer files between companies—to quietly grab data.

Some customers lost just their contact info. Others? A whole lot more.

Here’s what the hackers got their hands on

The data varies. And not in a good way.

For some, it might just be a name and phone number. But for others, the breach is enough to make your stomach drop.

• Names, phone numbers, and emails

• Dates of birth

• Driver’s license numbers

• Credit card details

• Workers’ compensation claim info

• Social Security numbers (for a limited few)

• Government IDs, passports, Medicare/Medicaid IDs tied to claims

• Injury-related info from car accidents

So yeah, this wasn’t just a marketing list. It was personal.

And not everyone was hit equally. A “very small number,” according to Hertz, had their most sensitive identifiers stolen. That’s cold comfort for those who might now face identity theft or worse.

One-line pause. Because this is real-life stuff.

Clop’s calling card is all over it

The Clop ransomware group is behind this breach. Again.

They didn’t encrypt files this time—they just took what they wanted. The group claimed responsibility and later posted some of Hertz’s stolen data on their leak site. Classic Clop move.

This gang has been active since 2019. But in recent years, they’ve shifted focus. Less ransomware, more “smash-and-grab” data theft using unknown flaws in big-name file transfer tools.

They’ve done it before:

• MOVEit Transfer

• GoAnywhere MFT

• SolarWinds Serv-U

• Accellion FTA

Now add Cleo Harmony, LexiCom, and VLTrader to that list.

They hit 66 companies in this latest spree. Hertz just happens to be one of the bigger names caught in the blast radius.

Who else got burned?

While Hertz has dominated headlines, they’re far from alone.

Several other companies either confirmed similar breaches or are still digging through their systems:

• Western Alliance Bank

• WK Kellogg Co

• Sam’s Club

Each confirmed—or at least strongly hinted—that their data was also stolen via the same Cleo vulnerabilities.

Some of these names might surprise you. But that’s the thing with software supply chains: when one weak link breaks, it pulls down everyone attached.

And not every company is quick to admit they’ve been hacked. So don’t be shocked if this list keeps growing.

Just one sentence here to let it breathe.

What is Hertz doing now?

The company says it’s analyzing the stolen data to figure out exactly who’s affected. That work started back in February, right after the breach was confirmed.

In the meantime, Hertz is offering two years of free identity monitoring for impacted customers. That includes fraud alerts and credit monitoring services.

But people aren’t exactly reassured.

A few customers took to Reddit and X (formerly Twitter) to say they had no idea Cleo even handled their personal info. One post read: “Never even heard of Cleo. Why does a rental company need a file transfer vendor anyway?”

Fair question.

Still, the leaked data hasn’t shown signs of being used in scams or fraud—at least not yet.

But let’s be honest: that’s not much of a comfort when your driver’s license and credit card number are floating around in the dark web.

The trend is getting worse, not better

If you’re starting to think these zero-day attacks are becoming more common, you’re not wrong.

Hackers are finding—and exploiting—previously unknown software bugs faster than companies can patch them. And these aren’t always glamorous targets either. Often it’s back-end vendors like Cleo, who quietly move data around while staying out of the public eye.

Here’s a quick look at major incidents connected to Clop:

That’s not a coincidence. It’s a pattern. And one that companies aren’t prepared to stop.

Because you can’t fix a problem you don’t know exists. Until it’s too late.