How Co-Managed Software Firms Like Cleo Can Put You at Risk: Lessons from the Hertz Data Breach

When major companies experience data breaches, the headlines often focus on the household name—Hertz, in this case. 

But behind many of these incidents lies a lesser-known third party. In the recent Hertz data breach, the culprit wasn’t Hertz’s own servers but vulnerabilities linked to Cleo, a file-transfer and integration platform the company relied on. 

This incident is one of many in an increasingly common threat: the hidden risks of co-managed software firms and supply chain vulnerabilities.

What Is Cleo and Its Role at Hertz?

Cleo is a cloud-based data integration and file-transfer platform used by many large companies to securely transmit sensitive information such as customer data, financial files, and operational records. For enterprises like Hertz, Cleo’s services help streamline data sharing with partners, vendors, and internal systems.

However, because Cleo handles massive volumes of sensitive information, any vulnerability in its platform becomes a potential doorway for hackers to reach not just one company, but dozens or even hundreds of Cleo’s clients. That’s exactly what happened with Hertz. Hackers exploited flaws in Cleo’s software, giving them access to Hertz’s customer and operational data.

Understanding Zero-Day Vulnerabilities

A central factor in many supply chain breaches is the so-called zero-day vulnerability. A zero-day is a flaw in software that is unknown to the vendor and therefore has no available patch. Hackers who discover these flaws can exploit them before anyone has a chance to respond, hence the term “zero-day,” referring to the number of days defenders have had to prepare.

In Cleo’s case, attackers leveraged a vulnerability that had not yet been fixed, allowing them to bypass normal defenses. For companies like Hertz, the fact that their data was exposed through no direct fault of their own underscores the unique risk of zero-days.

Supply Chain Attacks and Cascading Risks

The Hertz incident is a textbook example of a supply chain attack. Instead of directly targeting a major corporation with strong defenses, attackers go after a third-party vendor with weaker security or an exploitable flaw. Once inside, the attackers can pivot to the larger company.

The risks are cascading. When a single vendor serves dozens of clients, one vulnerability can trigger a domino effect across multiple industries. In the case of Cleo, many companies that depended on its platform found themselves inadvertently exposed.

Clop’s History with File-Transfer Platforms

The Clop ransomware group has repeatedly exploited vulnerabilities in file-transfer and data-integration software. Before targeting Cleo, Clop carried out high-profile attacks against Accellion and Fortra’s GoAnywhere platform, compromising hundreds of organizations worldwide.

Their strategy is clear: instead of targeting individual corporations, Clop zeroes in on widely used tools that act as central arteries for data. This approach gives them a larger pool of victims, often with highly sensitive information in transit. The Hertz breach is part of this broader pattern, reminding businesses that if their vendors are vulnerable, so are they.

Other High-Profile Third-Party Breaches for Context

The Hertz/Cleo incident is far from isolated. Consider a few other examples:

• MOVEit (2023): Another file-transfer tool exploited by Clop, MOVEit led to breaches at major financial firms, universities, and government agencies.
• Allianz Life (July–August 2025):  Attackers impersonated IT staff and used a malicious Salesforce Data Loader tool to extract sensitive customer information via OAuth-connected apps. 
• Google (June–August 2025): The threat group ShinyHunters (also UNC6040) carried out a wave of voice-phishing (vishing) attacks on Salesforce CRM users, compromising contact info and notes for small- and mid-sized businesses. 
• Workday (2025): Workday disclosed that it was targeted via a social engineering campaign involving a third-party CRM, widely believed to be Salesforce.

These cases demonstrate that a company’s own cybersecurity isn’t enough if third-party vendors aren’t vetted to operate on those same standards.

Steps Companies Should Take to Vet Vendors

Given these risks, businesses must scrutinize the vendors they rely on. Proper vendor vetting includes:

• Security certifications: Ensuring vendors meet standards like ISO 27001 or SOC 2.
• Penetration testing: Requiring vendors to conduct independent security audits.
• Data handling transparency: Understanding where and how sensitive data is stored and transmitted.
• Incident response plans: Confirming that vendors have procedures for quickly containing and reporting breaches.

A thorough vendor risk assessment should be as integral to a business as hiring decisions.

Recommendations for Redundancy and Security Audits

One breach at a third-party provider should not grind a business to a halt. Companies should build redundancy into their operations by:

• Diversifying vendors: Avoiding reliance on a single software provider.
• Regular security audits: Reviewing vendor performance and compliance annually or quarterly.
• Failover systems: Ensuring alternate methods of data transfer are available if one system is compromised.

These proactive measures can help mitigate the disruption caused by a compromised vendor.

Role of Regulators in Third-Party Oversight

As supply chain attacks become more common, regulators are paying closer attention. Financial institutions, for example, are already subject to third-party risk management rules. Broader oversight may be on the horizon, requiring all industries to hold their vendors to higher security standards.

In the wake of breaches like Hertz’s, regulatory bodies may expand requirements for vendor reporting, breach notification, and security certifications. This could help create more accountability across the software supply chain.

What Individuals Can Ask Companies About Vendor Security

While customers may feel powerless in these situations, individuals can and should demand accountability from companies that handle their data. Key questions to ask include:

• Which vendors does the company rely on for sensitive data handling?
• What security certifications do those vendors maintain?
• How quickly will customers be notified if a third-party breach occurs?

Companies that are transparent about vendor security demonstrate a stronger commitment to protecting customer data.

Industrywide Lessons from Supply Chain Breaches

The Hertz breach and others like it teach a sobering lesson: cybersecurity is no longer confined to internal defenses. Companies are only as strong as their supply chain.

To address this, industries must shift toward:

• Collaborative defense strategies, where companies share threat intelligence.
• Standardized vendor requirements, ensuring all providers meet baseline security levels.
• Continuous monitoring, rather than one-time vendor audits.

Ultimately, trust in digital business ecosystems will depend on addressing these systemic risks.

What is a zero-day exploit?

A zero-day exploit is a cyberattack that targets a previously unknown vulnerability in software. Because the flaw has not yet been patched, companies have “zero days” to prepare, making these attacks especially dangerous.

Why did Cleo’s breach affect Hertz?

Hertz used Cleo to transfer and manage sensitive data. When Cleo was compromised, attackers gained access to information belonging to Hertz’s customers and operations, even though Hertz’s own systems weren’t directly hacked.

How can companies secure their vendors?

Companies can vet vendors through certifications, audits, penetration testing, and transparency about data handling. They should also implement redundancy to minimize the fallout from a single vendor breach.

What questions should I ask about vendor security?

Ask about security certifications, incident response policies, and how quickly you’ll be notified if your data is affected. Companies that are prepared should be able to answer confidently.

Has this happened before in other industries?

Yes. High-profile cases include SolarWinds, MOVEit, and Target, all of which involved third-party vulnerabilities that exposed vast amounts of sensitive data.

How can Morgan & Morgan help?

The sad truth is that your personal data’s safety often depends on companies you’ve never heard of. Vendors like Cleo play a critical role in modern business operations, but they also expand the attack surface for hackers. Until companies, regulators, and industries treat third-party risk as a top priority, these supply chain breaches will continue to jeopardize consumer trust.

For consumers impacted by data breaches, it’s important to know your rights. At Morgan & Morgan, our attorneys have been fighting for individuals whose private information has been exposed due to corporate negligence for over 35 years, and we have recovered over $25 billion in the process.

If you believe your data was compromised in the Hertz breach, you may be entitled to compensation. Contact us today for a free case evaluation to learn more about your legal options.