Inside the Investigation: How Hertz and Authorities Responded to the Breach

When a massive data breach strikes, what happens behind the scenes often determines how much damage is ultimately done to consumers. 

The recent Hertz data breach has drawn national attention not only for its scope but also for how the company, its vendors, and law enforcement responded. For the millions of drivers who rely on Hertz for car rentals, the incident unveiled the risks that come with entrusting sensitive information to corporations.

Below, we take a closer look inside the investigation, from the moment of detection through law enforcement involvement, corporate transparency, and what individuals can do to protect themselves in the aftermath.

The Timeline of the Hertz Breach: Detection to Notification

• February 10, 2025 — Detection: Hertz first detected suspicious activity in systems managed by Cleo, a third-party vendor providing file transfer and cloud data integration services. The breach was determined to have allowed unauthorized access to customer records.
• April 2, 2025 — Forensic Analysis Complete: After nearly two months of digital forensics and network analysis, investigators confirmed which data was accessed and how attackers exploited the vulnerability. This report gave Hertz and authorities the foundation to move forward with remediation and consumer notifications.
• April 11, 2025 — Notifications Sent: Hertz began mailing breach notification letters to impacted individuals shortly after completing its data analysis.
   

The nearly seven-week span between detection and forensic confirmation is not unusual in large-scale breaches, where investigators must carefully examine massive volumes of logs and files to piece together exactly what happened.

However, some customers and legal observers have criticized the nearly two-month delay between detection and notification, arguing that it prevented individuals from taking timely protective actions. Lawsuits filed in states like Florida and Illinois alleged that Hertz’s delayed disclosure impaired consumers’ ability to mitigate potential harm.

Law Enforcement and Regulatory Involvement

Given the sensitive nature of the data involved, including driver’s licenses, passports, and payment information, law enforcement agencies quickly became involved. Federal authorities are believed to have assisted in reviewing whether the stolen data appeared on criminal marketplaces or was tied to organized cybercrime groups.

In addition, state attorneys general in jurisdictions with strong privacy laws, such as California, Massachusetts, and New York, began reviewing whether Hertz’s disclosure complied with legal obligations. Regulators often evaluate:

• The timing of consumer notifications
• The adequacy of protective measures offered to victims
• Whether corporate negligence contributed to the breach
  
   

Cleo’s Internal Response

As the vendor at the center of the breach, Cleo faced immediate scrutiny. The company confirmed that attackers exploited a vulnerability in its secure file transfer system. Cleo worked with independent forensic experts to patch the issue, improve monitoring, and apply additional safeguards to prevent recurrence.

Vendor-based incidents like this present a growing reality: even if a company like Hertz invests heavily in cybersecurity, vulnerabilities in third-party providers can still put consumers at risk.

Communications to Affected Users

Once forensic work wrapped up, Hertz began notifying affected customers. The company used a mix of email and physical mail notices, depending on available contact information. Each notice explained:

• What information may have been exposed
• The steps Hertz was taking to secure systems
• How individuals could access free identity protection services

The clarity and speed of these communications are critical. In some cases, delays or vague explanations can cause consumers to underestimate the seriousness of a breach.

Kroll Identity Monitoring Rollout

To help consumers protect themselves, Hertz partnered with Kroll, a leading provider of identity theft monitoring. Impacted individuals received free coverage, which included:

• Credit monitoring across major bureaus
• Dark web monitoring for stolen credentials
• Identity restoration services if fraud occurs
• $1 million identity theft insurance

While such services cannot undo the breach, they provide important tools for detecting fraudulent activity early.

Hertz’s Public Statements and Transparency

In public statements, Hertz expressed regret over the breach, emphasized that internal Hertz systems remained uncompromised, and pointed to Cleo as the vendor source of the vulnerability.

However, consumer advocates have criticized the company for the nearly two-month delay between detection and consumer notification and for limited details on exactly what types of records were exposed.

The perception of deflecting responsibility onto Cleo rather than accepting broader accountability has also come into the public discourse.

Transparency is key in crisis management, and companies that downplay or delay acknowledgment often face reputational damage alongside legal liability.

How Hertz’s Response Compares to Other Vendor-Based Incidents

Vendor breaches are increasingly common. For example, the MOVEit breach in 2023 exposed data from dozens of organizations through a single third-party file transfer tool, and the Blackbaud breach in 2020 compromised nonprofit donor databases and led to years of litigation.

In each case, the key issues were how quickly companies notified customers, the thoroughness of remediation, and whether responsibility was clearly assumed. Hertz’s response falls somewhere in the middle, offering strong identity protection but facing criticism for delayed transparency.

What This Case Shows About Corporate Responsibility

The Hertz incident underscores several broader lessons about corporate responsibility:

• Vigilance Beyond Internal Systems — Companies must monitor not just their own systems but also those of their vendors and partners.
• Speed of Notification Matters — Consumers cannot take protective steps until they know their information is at risk.
• Transparency Builds Trust — Acknowledging faults and clearly explaining impacts helps rebuild consumer confidence.
• Legal and Financial Accountability — When negligence or delay causes harm, affected individuals may be entitled to compensation.
  
   

Tips for Individuals to Stay Updated and Secure

If you believe you may have been affected or simply want to stay safer in today’s digital environment, consider these steps:

• Read all notifications carefully and sign up for free monitoring if offered.
• Check your credit reports regularly for unfamiliar accounts or inquiries.
• Set up fraud alerts or credit freezes if you suspect exposure.
• Stay skeptical of phishing attempts, which often follow major breaches.
• Bookmark the official breach update page from Hertz or regulators for accurate, ongoing information.
   

Who was involved in the investigation?

Independent forensic experts, Cleo’s internal security team, Hertz’s IT department, and federal law enforcement agencies all participated in the investigation.

How long did Hertz take to notify customers?

Hertz detected the breach on February 10, 2025 but did not begin notifying customers until after the forensic analysis concluded on April 2, 2025—a delay of nearly two months.

What does the identity monitoring service cover?

Kroll’s services include credit monitoring, dark web monitoring, fraud resolution support, and up to $1 million in identity theft insurance.

Did Hertz’s internal systems remain secure?

Yes. Based on forensic findings, the compromise was limited to Cleo’s vendor environment. Hertz’s own core systems were not breached.

Is there an ongoing threat even after the patch?

Cleo has patched the exploited vulnerability, but once data is stolen, it can circulate indefinitely on dark web marketplaces. Individuals should remain alert for potential misuse of their information.

While Hertz has offered identity protection and worked with authorities, the delay in notification has raised legitimate concerns that misuse of this information may have already occurred.

At Morgan & Morgan, we believe corporations must be held accountable when their actions or inaction place consumers at risk. If you believe you have suffered identity theft, fraud, or other harm as a result of this or any other data breach, our attorneys are here to help.

Hiring one of our lawyers is easy, and you can get started in minutes with a free case evaluation.