Preventing Future Data Breaches: Lessons From the Hertz–Cleo Incident

In late 2024, Hertz became one among dozens of organizations hit by a supply-chain data breach stemming from vulnerabilities in Cleo Communications’ file-transfer platform. 

In other words, Hertz used a third-party system to store customer data, and security measures weren’t strict enough to prevent a hack, leaving unsuspecting consumers at risk and their private information leaked.

So how could this have been prevented, and just as important, how do we stop it from happening again?

1. Identify Single Points of Failure 

The breach occurred not via Hertz’s internal network, but through an external vendor (Cleo) used “for limited purposes.” Yet hackers exploited zero-day flaws in Cleo’s platform to access Hertz’s data. 

This illustrates how even a peripheral vendor can become a critical single point of failure, and these vendors’ security measures should be routinely vetted.

Moving forward, companies should map all external dependencies, then assess each for potential security gaps. No vendor is too small to warrant scrutiny.

2. Importance of Third-Party Risk Assessments

Cleo claims its zero-day vulnerabilities were unknown before exploitation. Still, multiple organizations across industries were affected, including Hertz, Western Alliance Bank, Sam’s Club, WK Kellogg, and more. Critics argue this should have highlighted the necessity of proactive third-party risk assessments for Hertz.

In the future, organizations should require vendors to maintain robust cybersecurity frameworks and pay special attention to vendors handling sensitive transfers, even if the engagement seems limited.

 

3. Patch Management and Vendor Update Verification

Zero-day vulnerabilities are especially dangerous when patches aren’t applied swiftly. Although Cleo eventually patched its Harmony, VLTrader, and LexiCom products, the window for attack remained open for months.

Future best practices should include monitoring vendor patch-related bulletins in real time and establishing processes for verifying vendor updates are properly deployed in your environment.

 

4. Encryption and Secure Data-Transfer Standards

While details on encryption usage weren’t disclosed, it’s reasonable to assume that stronger encryption (both at rest and in transit) could have mitigated risk, even if the vendor’s system was compromised.

The best practice recommendation would be to implement end-to-end encryption for all file transfers, including those involving third-party platforms.

5. Continuous Monitoring and Threat Detection

Hertz discovered the breach on February 10, 2025, after exploitation occurred in October and December 2024, and only completed data analysis by April 2, 2025.

Gaps in monitoring and delayed detection allowed extended unauthorized access, so implementing real-time anomaly detection for vendor connections and monitoring outbound data transfers, access logs, and irregular usage patterns can all help to reduce these risks.

 

6. Incident Response Readiness & Drills

In this case, Hertz responded by launching a forensic investigation, notifying regulators and law enforcement, and completing analysis in under two months. Still, the response window was substantial.

Lesson to learn: Regularly drill incident response protocols, including those involving third-party breaches. Ensure roles, communications, and containment steps are tested and clear.

7. Legal Readiness Frameworks Post-Breach

Following the breach, affected individuals were notified across multiple states and countries; in Texas alone, about 96,665 residents received notifications, and 3,409 in Maine.

Key legal actions include preparing breach response templates for multi-jurisdictional notifications and tracking varying regulatory timelines and thresholds for breach disclosures and reporting.

 

8. Communication Plans for Breach Disclosures

Hertz issued formal notices, offered two years of free identity or dark-web monitoring via Kroll, and encouraged vigilance despite no known misuse so far.

Future strategies for communications should include prompt, transparent messages focusing on protection, monitoring, and reassurance. Additionally, companies should offer tangible remediation (e.g., credit monitoring), while clearly explaining known facts and next steps—avoiding vague language intended to diffuse legal liability.

 

9. Employee Training and Vendor Oversight

Though not detailed, this breach highlights the cascading impact of vendor vulnerabilities. Ensuring both internal and external personnel understand risk is vital.

To avoid your own people as security vulnerabilities, educate employees on vendor risk and the importance of escalation, and include vendor oversight as part of routine cybersecurity training and audits.

 

10. Industry-Wide Benchmarks for Data Security Resilience

This incident follows similar attacks via software supply-chain targets like MOVEit and GoAnywhere MFT.

For benchmarking tactics, participate in industry threat-sharing forums, learn from peer responses to similar zero-day supply-chain attacks, and establish internal resilience metrics.
 

How can breaches like this be avoided?

By conducting comprehensive vendor risk assessments, enforcing patch and encryption protocols, monitoring for abnormal behavior, scheduling incident simulations, and maintaining clear legal and communication plans.

What does vendor risk management involve?

It includes evaluating vendors’ security posture, monitoring their update cadence, including contractual SLAs for risk, and regular audits or real-time verification procedures.

Should all data be encrypted?

Yes, especially sensitive personal data. End-to-end encryption for both file transfers and data at rest provides critical protection, even if a vendor platform is compromised.

What emergency protocols should companies have?

A solid response plan should include detection procedures, chain-of-command roles, legal notification templates, communication strategies for internal and external stakeholders, and post-incident review.

How can smaller companies learn from this?

Even small businesses rely on vendors, but not confirming a vendor's security measures is no different than neglecting your own. Businesses can:

• Use vendor risk scorecards.
• Insist on SOC 2 or ISO 27001 compliance.
• Implement encrypted transfer tools.
• Use affordable monitoring and response tools.

The Hertz–Cleo incident serves as a stark reminder: no business is immune when third-party systems are vulnerable. If your data was exposed due to lax security measures, contact us today for a free case evaluation to learn more about your legal options.