Hertz Data Breach Response: Evaluating Their Communication & Actions

When a company as well-known as Hertz suffers a data breach, the consequences go far beyond compromised information. Customers deserve transparency, and regulators demand compliance.

The way an organization reacts in the days and weeks following a breach often determines whether it can regain trust or deepen mistrust.

The Hertz data breach, disclosed on February 10, 2025, and analyzed further by April 2, 2025, provides a case study in breach response.

Timeline: From Disclosure to Analysis

On February 10, 2025, Hertz confirmed that its data had been acquired by an unauthorized third party. The company identified that zero-day vulnerabilities in its vendor Cleo Communications’ file-transfer platform were exploited during October and December 2024.

Hertz completed its data analysis on April 2, 2025, determining the types of personal information potentially impacted.

Public Statements and Transparency

Hertz issued several press releases and regulatory filings acknowledging the incident. 

The notice, issued on behalf of Hertz, Dollar, and Thrifty brands, outlined the breach's cause and scope, stating that Cleo had investigated the event and addressed the vulnerabilities.

Hertz emphasized that its own network was unaffected and noted no evidence of misuse or fraudulent activity to date.

For many affected customers, the communications raised more questions than answers, such as how exactly their information could be misused and what steps they should take right away.

Notification Methods

Hertz began notifying affected individuals on April 11, 2025, using a combination of direct mail, email, and official regulatory filings to notify those affected. This mixed approach reflects industry standards, ensuring that individuals receive information through at least one reliable channel.

Still, not every customer reportedly received timely notification. Some only learned of the breach from media coverage before official contact from Hertz. Such gaps can erode trust, especially when dealing with sensitive data such as Social Security numbers, driver’s license details, and payment card information.

Rollout of Identity Monitoring Services via Kroll

To mitigate potential harm, Hertz partnered with Kroll, a well-known identity monitoring provider. Impacted customers were offered up to two years of free monitoring and fraud resolution support.

While this is a valuable step, some consumer advocates argue that two years may not be long enough, particularly when Social Security numbers and other permanent identifiers are exposed. Unlike credit card numbers, which can be changed, government-issued identifiers follow individuals for life.

Legal and Regulatory Compliance Steps

From a compliance standpoint, Hertz appears to have met the minimum notification deadlines required by state and federal law, as well as international regulations where applicable. The company filed notices with multiple attorney general offices, a key step in demonstrating legal transparency.

That said, meeting the bare minimum is different from exceeding expectations. Regulators increasingly expect companies to provide swift, detailed, and consumer-friendly updates—not just check the compliance box.

Criticisms Over Speed or Completeness of Response

Critics highlight that the lag between disclosure and detailed analysis left customers uncertain for weeks. In that time, cybercriminals could exploit stolen data for fraud, while individuals lacked clear guidance on protecting themselves.

Others questioned whether Hertz’s initial statements downplayed the severity of the breach. By the time April’s deeper analysis arrived, the public perception was that the company was reacting to external pressure rather than proactively informing its customers.

Comparisons to Industry Peers’ Responses

Compared to other large-scale breaches, Hertz’s response was average but not exemplary. For instance:

• Some companies now provide real-time online dashboards with updates, FAQs, and resource links. Hertz did not.
• Others extend three to five years of identity monitoring, especially when permanent identifiers are exposed. Hertz offered two years.
• A few industry leaders issue plain-language summaries alongside legal filings. Hertz primarily relied on formal notices.

In short, Hertz’s approach aligned with industry minimums but did not stand out as consumer-first.

Best Practices for Corporate Breach Communication

Experts point to several best practices for handling a breach:

1. Rapid, transparent disclosure within days, not weeks, of discovery.
2. Clear, jargon-free communication that explains risks in layman’s terms.
3. Dedicated resources, such as a hotline or website, for affected individuals.
4. Extended monitoring services beyond two years for highly sensitive data.
5. Consistent updates as investigations progress, rather than a single initial statement.

Hertz adopted some of these practices, but not all.

How Individuals Perceive the Response

For many consumers, perception is as important as compliance. In surveys following major breaches, customers consistently say they want honesty, clarity, and guidance. Delays, confusing notices, or minimal support fuel frustration.

In Hertz’s case, some affected customers expressed relief that identity monitoring was offered but remained concerned that the company’s communication was reactive rather than proactive. Trust, once lost, is difficult to rebuild.

Suggestions for Improvement

If Hertz or any company wants to strengthen future responses, they might consider:

• Issuing clearer FAQs upfront to answer common questions.
• Providing ongoing communication, even if investigations are incomplete.
• Extending monitoring services to cover long-term risks tied to SSNs and driver’s licenses.
• Empowering customers with step-by-step protection guides, rather than generic advisories.

These steps go beyond compliance to show a genuine commitment to protecting consumers.

When did Hertz inform customers?

Hertz first disclosed the breach on February 10, 2025, with additional details released on April 2, 2025.

How did Hertz communicate the breach?

The company notified customers via mail, email, and regulatory filings, though some customers first learned of the breach from media coverage.

Is two years of identity monitoring sufficient?

While better than no monitoring, two years may be insufficient given that stolen Social Security numbers and driver’s licenses can be exploited indefinitely. Longer coverage would provide stronger protection.

Have they complied with legal standards?

Yes, Hertz appears to have complied with state, federal, and international reporting obligations. However, compliance does not always equal best practice. Some consumers who were notified late or not at all have brought forward lawsuits.

What would a better response look like?

A stronger response would include faster disclosures, plain-language communication, extended monitoring services, and continuous updates throughout the investigation.

While the company checked the legal boxes, many feel it stopped short of truly putting customers first. In today’s digital environment, a breach response is not just about limiting liability—it’s about demonstrating responsibility.

For consumers, the lesson is clear: don’t wait on corporate communications to act. Monitor your accounts, consider credit freezes, and take advantage of any identity monitoring offered. For companies, the takeaway is equally clear: when it comes to breach response, speed, clarity, and empathy matter as much as legal compliance.

If you believe you were affected by the Hertz data breach, contact Morgan & Morgan today for a free case evaluation to learn more about your legal options.