Hertz Data Breach 2025: What Really Happened and Who Was Affected

In early 2025, Hertz Corporation publicly confirmed a serious data breach that impacted its Hertz, Dollar Car Rental, and Thrifty brands. 

Here's everything you need to know, from the timeline and technical origins to affected individuals, the response, and what to do if you're impacted.

The Hertz Data Breach Timeline So Far

• Breach Period (October–December 2024): The malicious activity began when attackers exploited two zero-day vulnerabilities in Cleo’s file-transfer platform during this period. The breach affected Hertz’s customer data transferred via Cleo.
• Discovery (February 10, 2025): Hertz officially detected and confirmed unauthorized access to its data, though the intrusion stemmed from Cleo’s systems, not Hertz’s own network.
• Data Analysis & Notifications (April 2025): By April 2, the company had completed its forensic analysis to determine the scope. Official breach notifications began around April 11, 2025.
  
   

The Origin of the Hertz Breach: Cleo and the Zero-Day Exploit

The breach originated from Cleo Communications US, LLC, a third-party vendor providing managed file-transfer (MFT) solutions (e.g., Cleo Harmony, VLTrader, LexiCom) that Hertz used for limited purposes.

Attackers exploited previously unknown zero-day vulnerabilities, notably tracked as CVE-2024-50623 and CVE-2024-55956, allowing unauthorized access and execution capabilities.

The Ransomware Group Involved: Clop

The Clop (Cl0p) ransomware group claimed responsibility for this incident. Known for targeting file-transfer software via zero-day flaws (including Cleo, MOVEit, GoAnywhere), Clop included Hertz in a list of victims on its dark-web leak site.

Brands Affected by the Hertz Data Breach

Hertz confirmed that customer data from the Hertz, Dollar, and Thrifty brands was involved in the breach.

The Types of Data Compromised in the Hertz Data Breach

The breach exposed a broad range of customer information, which can be divided into two groups:

General Data

This type of data was potentially compromised for the largest group of people and includes names, contact information, dates of birth, credit card details, driver’s license information, and workers’ compensation claims.
 

Highly Sensitive Subset

While affecting fewer people, this data includes highly sensitive information, such as Social Security numbers, other government-issued IDs, passport details, Medicare/Medicaid IDs tied to comp claims, and injury-related vehicle accident information.

 

The Number of Individuals Affected by the Hert Data Breach

Hertz hasn’t disclosed a total number of impacted customers. However, state notifications give early visibility:

• Maine: At least 3,409 residents have been notified.
• Texas: Around 96,665 customers were reportedly affected.
• Overall (nationwide): Likely exceeds 100,000, though no firm total has been released.
  
   

Hertz’s Response to the Data Breach

Hertz deployed several key mitigation measures. The company reported the breach to law enforcement and began notifying relevant regulators. Later, all affected individuals are offered two years of free identity monitoring (credit or dark-web, depending on region) through Kroll, and Hertz encouraged individuals to monitor financial accounts, credit reports, and remain vigilant against fraud.

Cleo has also since addressed and patched the exploited vulnerabilities. Hertz’s investigation suggests the company actively remediated identified security gaps.

Are You at Risk of Fraud?

There is no known misuse of the leaked data yet. Hertz reports no evidence of fraudulent use of the compromised data to date. However, ongoing vigilance is encouraged.

Experts warn this type of data—especially IDs that cannot be reset—is “prime identity theft material,” exposing victims to synthetic identity fraud, targeted phishing, and fraudulent claims.

What caused the Hertz data breach?

A ransomware-linked attack (by hacker group Clop) exploited zero-day vulnerabilities in Cleo’s file-transfer software during October–December 2024, allowing unauthorized access to customer data.

How many customers were impacted by the Hertz data breach?

Hertz has not provided a firm total. Notifications include 3,409 Maine residents and approximately 96,665 in Texas, suggesting at least 100,000 people nationwide are affected.

Was my personal data exposed?

If you received a breach notification from Hertz, your data likely was among those compromised. Fraud risk remains low, but monitoring your accounts and credit activity is strongly advised.

What is Hertz doing about the breach?

Hertz reported the incident to law enforcement and regulators, completed a data exposure assessment, had Cleo patch vulnerabilities, and is offering two years of free identity monitoring via Kroll.

What should I do if I have received a breach notice?

If you received an official notice from Hertz, sign up for the free identity monitoring offered and keep a close eye on your financial accounts and credit reports. You may also want to consider placing a credit freeze or fraud alert with credit bureaus.

Stay alert for suspicious emails or phishing attempts, and if you discover that the data breach has caused you damages, contact Morgan & Morgan to learn more about your legal options.