Hertz, the global car rental company, has begun notifying its customers of a data breach that exposed their personal information, driver's licenses, and payment card details. The breach, which occurred between October and December 2024, was attributed to a cyberattack on one of its vendors, Cleo Software.

The stolen data varies by region, but largely includes customer names, dates of birth, contact information, driver's licenses, payment card information, and workers' compensation claims. A smaller number of customers had their Social Security numbers taken in the breach, along with other government-issued identification numbers. Notices on Hertz's websites disclosed the breach to customers in Australia, Canada, the European Union, New Zealand, the United Kingdom, and several U.S. states, including California and Maine.

Hertz did not provide the total number of affected individuals, but a spokesperson confirmed that at least 3,400 customers in Maine were impacted. The company's spokesperson, Emily Spencer, stated that it would be "inaccurate to say millions" of customers are affected, leaving the exact scope of the breach unclear.

The breach is linked to a mass-hacking campaign by the Russia-linked ransomware gang, Clop, which exploited a zero-day vulnerability in Cleo Software's enterprise file transfer products. This vulnerability allowed the hackers to steal sensitive data from dozens of companies, including Hertz, that used Cleo's products. Last year, Clop claimed to have stolen data from close to 60 companies, and later alleged dozens more corporate victims.

Hertz initially denied being affected by the breach, stating that it had "no evidence" that its data or systems were compromised. However, the company has now confirmed that its data was acquired by an unauthorized third party that exploited the zero-day vulnerability in Cleo's platform.

The incident highlights the risks associated with third-party vendors and the importance of ensuring the security of sensitive data. It also raises concerns about the potential consequences of data breaches, including identity theft and financial fraud. Hertz customers are advised to monitor their accounts and credit reports closely and to take steps to protect their personal information.

The breach is a significant blow to Hertz's reputation and may lead to increased scrutiny of the company's data security practices. As the cybersecurity landscape continues to evolve, companies must prioritize the protection of sensitive data and invest in robust security measures to prevent such breaches.

At the time of writing, Cleo Software had not responded to requests for comment on the breach. The incident serves as a reminder of the importance of transparency and accountability in the face of cybersecurity threats.