Global Impact: Hertz Data Breach and Its International Ripple Effects

In early 2025, Hertz confirmed that a cybersecurity incident at its file-transfer vendor, Cleo Communications, resulted in unauthorized acquisition of Hertz data during two exploitation windows in October and December 2024. 

Hertz says it confirmed the data theft on February 10, 2025, completed its analysis on April 2, 2025, and began notifying customers and regulators in multiple countries.

But how has the data breach affected U.S. consumers and the rest of the world?

Breach’s reach in the U.S. vs. Australia

Hertz published country-specific notices. The U.S. notice lists potentially affected data types including names, contact details, dates of birth, credit card data, driver’s license information, and workers’ compensation claim information; a very small subset may include Social Security numbers, other government IDs, passport information, Medicare/Medicaid IDs (linked to workers’ comp), or injury information tied to vehicle accident claims. The notice also confirms offering two years of Kroll identity or dark-web monitoring.

Hertz’s Australia notice confirms exposure for Australian individuals could include name, contact details, date of birth, driver’s license information, and payment card information, with a very small number including passport details. Hertz states it reported the event to law enforcement and is in the process of reporting to relevant regulators, and is offering two years of Kroll monitoring.

Clop ransomware’s global footprint

The Cleo incident occurred against the backdrop of large, globally distributed supply-chain data theft campaigns by the CL0P (Clop) group, known for exploiting file-transfer software zero-days (notably MOVEit). U.S. CISA and the FBI documented Clop’s worldwide activity and the broad impact of these mass-exploitation campaigns. 

While Hertz’s notices do not name the threat group, mainstream reporting has linked the Cleo zero-day exploitation to Clop’s data-theft operations.

Notifications and legal actions in different countries

In the United States, companies notifying more than 500 California residents must submit a sample notice to the California Attorney General, and many states impose clock-based deadlines after discovery. Hertz issued a public U.S. notice and offered remedial services via Kroll; regulators such as state attorneys general commonly receive copies of consumer notifications.

In Australia, organizations must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme when likely to cause serious harm. Hertz’s AU notice states it is “in the process of reporting the event to relevant regulators.”

Cross-border data protection laws (e.g., GDPR, CCPA)

For EU residents, the GDPR requires controllers to notify supervisory authorities within 72 hours of becoming aware of a personal-data breach, and to inform individuals when there is a high risk to rights and freedoms. GDPR applies extraterritorially when non-EU companies target or monitor individuals in the EU.

In the U.S., there is no single federal breach-notification law; obligations vary by state. California’s Civil Code §1798.82, for example, requires notice to consumers and mandates AG reporting when more than 500 residents are affected. Many states specify timing, such as “without unreasonable delay,” with some setting specific day limits.

Impact on international customers: passports, licenses, privacy laws

Hertz’s U.S. notice confirms a small group may have had passport numbers and other government IDs impacted; the Australia notice notes a very small number of Australian individuals may have had passport information exposed, in addition to driver’s license and payment card data. These identifiers are particularly sensitive because they are used across borders for identity verification and travel; remediation may require replacement documents depending on country rules.

Hertz’s regional response strategies

Hertz tailored notices and call-center details by region and arranged two years of Kroll monitoring (identity or dark-web) at no cost to affected individuals. The company states it reported the incident to law enforcement and is reporting to relevant regulators.

Regulatory engagement in Australia vs. U.S.

Australia’s NDB scheme centralizes notifications through OAIC; Hertz’s AU notice indicates regulator reporting is in progress. In the U.S., reporting is decentralized, and companies may need to notify multiple state attorneys general and provide consumer notices that meet state-specific content rules.

Media coverage differences (U.S. vs. AU)

U.S. coverage highlighted vendor exploitation and the company’s identity-protection offer; Reuters reported Hertz disclosed the incident publicly in April 2025 and attributed it to a vendor breach at Cleo. Australian coverage emphasized local impacts, including potential exposure of passports and licenses.

Lessons for global companies on vendor risk

The Hertz incident underscores the systemic risk of third-party file-transfer tools. Clop’s file-transfer exploitation campaigns (e.g., MOVEit) show how one zero-day can cascade into hundreds of organizations across jurisdictions. Regulators encourage strong vendor-risk management, patching, segmentation, and rapid breach reporting across borders.

How cross-border liability is handled

Cross-border incidents trigger overlapping legal regimes. GDPR may apply to non-EU companies that target or monitor EU residents (Article 3), while U.S. state laws apply based on resident location and data categories. Australia’s NDB rules apply to entities bound by the Privacy Act. Liability, forum, and remedies ultimately turn on where affected individuals reside, the company’s establishments, and contractual terms with vendors, hence the importance of global incident response plans and clear vendor contracts allocating security and notification duties.

Were Australian customers impacted by the Hertz data breach?

Yes. Hertz’s Australia notice states that Australian individuals’ data may include name, contact details, date of birth, driver’s license information, and payment card information; a very small number may include passport data.

How does GDPR affect the Hertz data breach?

If EU data subjects were affected, GDPR can apply even to non-EU companies when they target or monitor people in the EU. GDPR requires notifying regulators within 72 hours of awareness and, when warranted, notifying individuals. Hertz’s public notices don’t list specific EU regulators but claim ongoing regulatory reporting.

Did Hertz notify global regulators about the data breach?

Hertz’s U.S. and AU notices say the company reported the event to law enforcement and is in the process of reporting it to relevant regulators. Regulatory reporting obligations differ by country and, in the U.S., by state.

How does breach law vary internationally?

In the EU, GDPR sets a uniform framework (with local supervisory authorities). In the U.S., state laws govern timing, content, and who else must be notified (e.g., state AGs or credit bureaus). In Australia, the OAIC’s NDB scheme governs eligibility and process. These differences mean multinational companies must run parallel notification tracks.

To learn more about your eligibility for a claim, contact Morgan & Morgan for a free case evaluation.