State-by-State Breakdown: Who’s Affected by the Hertz Breach?

In April 2025, Hertz began notifying customers that personal data tied to its Hertz, Dollar, and Thrifty brands was stolen in a third-party incident involving Cleo Communications’ file-transfer software. 

Hertz says attackers exploited two zero-day vulnerabilities in Cleo’s platform during October and December 2024, and the company confirmed on February 10, 2025, that its data had been acquired. Hertz completed its data review on April 2, 2025, and started sending notices around April 11.

If you believe your information was exposed in this breach or if you’re already experiencing fraud, you may have legal options. At Morgan & Morgan, we fight for victims of corporate negligence in protecting personal data. Our attorneys can help you understand your rights, hold companies accountable, and pursue compensation for financial losses tied to data breaches.

If you’ve been affected by the Hertz data breach, contact Morgan & Morgan today for a free case evaluation.

Below is what’s publicly documented so far, plus what it means where you live.

Known Counts by State

Some areas were hit harder than others, and several states have made official filings or statements. For instance:

• Maine: 3,409 residents notified, per the Maine AG breach portal entry for The Hertz Corporation (posted April 11, 2025).
• Texas: 96,665 residents listed in Hertz’s notice to the Texas AG, according to The Record’s review of state filings.
• New Hampshire: “More than 4,600” Granite Staters, according to New Hampshire outlet WMUR, citing the company’s notification.

What data was at risk? Hertz’s U.S. notice says names, contact details, dates of birth, driver’s license, and payment card data were involved; for a smaller subset, Social Security and passport numbers and some workers’ comp data may have been affected.

States With Filings but No Public Statewide Total Yet

The following states have reported filings or have made public statements but have yet to achieve a statewide total number of those affected:

• California: Sample consumer notices filed with the CA Attorney General appear when 500+ residents are affected, but Hertz has not publicly disclosed a California count.
• Massachusetts: The Commonwealth posts copies of breach letters; counts sometimes appear later in MA’s monthly/annual breach reports, but no statewide number for Hertz has been published in those reports to date.
• Iowa: The AG hosts a breach-notification list and posted Hertz correspondence, but no resident count has been published there.
• Vermont: Hertz reported to Vermont regulators, per The Record, though no statewide total has been announced.

Reported counts often roll out in waves as companies finish validation and as states update portals.

Regional Variations in Notification Timing and Process

Hertz says it began consumer notifications around April 11, 2025, following its completed analysis on April 2, 2025. 

State postings appeared over the next several days (e.g., April 11 in Maine; April 16 coverage in New Hampshire).

Texas also posted details on its AG portal around that time. These timing differences are common because each state has its own portal cadence and thresholds.

State Disclosure Frameworks and What the Laws Require

Different states require distinct actions in response to a data breach.

• California: Businesses must notify affected residents and file a sample notice with the AG if 500+ Californians are affected. CCPA/CPRA also gives consumers a private right of action for certain data-security incidents involving non-encrypted, non-redacted personal information.
• Texas: Notify residents as soon as possible and no later than 60 days after determining a breach; notify the AG within 30 days if 250+ Texans are affected.
• Massachusetts: Notice to residents and to the AG/Office of Consumer Affairs; the state posts breach letters. MA law bars including the nature of the breach in the consumer notice itself and requires identity-theft mitigation info.
• New Hampshire: Notify affected individuals as soon as possible and notify the AG (or primary regulator) with the anticipated consumer-notice date and estimated in-state count.
• Iowa: Notify consumers without unreasonable delay; if 500+ residents are notified, inform the AG’s Consumer Protection Division within five business days after consumer notice.
  
   

Legal Implications by Jurisdiction

Each state also has its own unique legal consequences.

• California: Potential CCPA/CPRA statutory damages (if elements are met), plus claims under other laws (e.g., negligence). The private right of action makes California uniquely plaintiff-friendly for eligible incidents.
• Texas, Massachusetts, New Hampshire, Iowa, Maine: No CCPA-style private right in the breach statutes, but residents may still pursue claims under consumer-protection or negligence theories. Each state AG can enforce the notification laws and assess penalties for late/inadequate notice (e.g., Texas emphasizes 60-day consumer notices and 30-day AG notice for 250+ residents).
  
   

State Regulators’ Involvement or Responses

Regulators primarily act through posting notices and ensuring statutory requirements are met. 

For example, Maine posted the 3,409 count; Texas maintains an AG breach list with entity-reported counts and timing; New Hampshire runs a public breach-notification page and reported 4,600+ affected residents through local media; Iowa has a security-breach page and published Hertz correspondence.

International coverage (Australia and beyond)

Hertz published localized notices for multiple regions, including Australia, where reports noted passport and payment details among the exposed data for some customers, and that two years of Kroll monitoring was offered. Media in Australia tied the breach to the Cl0p gang’s exploitation of Cleo’s platform. Hertz says it has reported the incident to relevant regulators.

How to Verify Whether Your State Was Properly Notified

To verify your state’s notification and timing of the data breach, check your state AG breach portal.

• California: Search the AG’s public Data Breach List for “Hertz.”
• Massachusetts: Review the Data Breach Notification Letters page (by month).
• New Hampshire: See the AG’s Security Breach Notifications page.
• Texas: Use the AG’s Data Security Breach Reports dashboard.
• Iowa: Check the Security Breach Notifications list; look for Hertz or Cleo-related entries.
• Maine: The AG viewer entry for Hertz lists the 3,409 Maine residents.
   

If you received a letter or email from Hertz, keep it—that notice is your proof of impact and typically includes an offer of two years of free Kroll identity monitoring.

What to Do Now

Act quickly if you’re in a state with a private right of action, such as California. Statutes can have tight windows and specific pre-suit requirements.

Enroll in the free monitoring offered and place fraud alerts and credit freezes (free under federal law). Hertz’s notice lists step-by-step instructions.

Document any misuse (fraudulent charges, new-account attempts) and save screenshots—this evidence matters for damages.

Finally, contact Morgan & Morgan if you suspect your data was leaked or used to commit fraud.

Was my state impacted by the Hertz breach?

Likely yes, if you rented with Hertz, Dollar, or Thrifty in 2024–2025. Confirmed counts so far include Texas (~96,665), Maine (3,409), and New Hampshire (4,600+). Other states (e.g., CA, MA, IA, VT) have filings but haven’t posted final resident counts.

How do I check if my state is covered?

Search your state AG breach portal for “Hertz” and verify listing dates and entity name (“The Hertz Corporation”). If you received a notice, you’re covered regardless of the portal timing. 

Do affected states have different rights or laws?

Yes. California residents may have a CCPA/CPRA private right of action for certain breaches; other states rely on general consumer-protection or negligence claims and AG enforcement. Notice deadlines and AG-notification thresholds differ by state.

Which state has the most affected residents so far?

Based on public filings and reporting to date, Texas appears to be hit the hardest with ~96,665 residents being affected. Totals can change as state portals update.

Are international customers treated differently?

Hertz issued region-specific notices and is offering Kroll identity monitoring to affected individuals internationally as well. Local regulators and data-protection laws (e.g., in the EU/UK, Canada, Australia) govern disclosure specifics.

If you received a Hertz notice or see your state listed, you may have legal options. Morgan & Morgan is already evaluating state-by-state remedies, including CCPA/CPRA claims for Californians and consumer-protection claims elsewhere. We can review your notice, help you preserve evidence, and advise on next steps at no upfront cost. Contact us today.