Meet Our Hertz Data Breach Attorneys

According to Securityweek’s coverage of the incident, the vulnerability exploited in the Cleo platform was a zero-day flaw within its Managed File Transfer (MFT) software. A zero-day vulnerability refers to a previously unknown security flaw that developers haven’t had the chance to patch. These are particularly dangerous because cybercriminals can exploit them before a fix is available.

In this case, Cl0p ransomware actors were able to identify and exploit this zero-day flaw to gain unauthorized access to Cleo’s systems. Once inside, they could intercept and exfiltrate sensitive data being transferred by Cleo’s enterprise clients, including Hertz. MFT software is typically used to move large volumes of sensitive data between organizations securely. However, its central role in data workflows also makes it an attractive target for cybercriminals.

Security analysts believe the attackers used a combination of reverse engineering and vulnerability scanning to uncover the flaw. Once exploited, the vulnerability allowed for remote code execution, essentially giving attackers control over parts of the Cleo platform’s infrastructure. This breach highlights the importance of rapid vulnerability detection and patch deployment, especially for third-party vendors handling sensitive data.

Cleo has since released a security patch and implemented further measures, but the attack reveals critical gaps in vendor oversight and software security practices.

The Cl0p ransomware group, known for its aggressive targeting of MFT systems, gained access to Hertz customer data by exploiting Cleo’s platform. This breach didn’t stem from a direct vulnerability within Hertz’s own infrastructure but rather from its reliance on a third-party service.

Once the attackers exploited the vulnerability in Cleo’s system, they were able to access stored and in-transit data files from multiple clients, including Hertz. The Cl0p group reportedly exfiltrated these data sets without immediately encrypting them, which is unusual compared to typical ransomware tactics. Instead, Cl0p often uses data theft as leverage for extortion. Companies are threatened with public data leaks if they don’t pay a ransom.

This breach was likely carried out using automated scripts to systematically extract data once access was gained. Hertz, relying on Cleo for secure file transfers, may have unknowingly facilitated the exposure of sensitive customer information simply by conducting business as usual.

Hertz has not publicly released a detailed list of the compromised information, but based on the nature of similar breaches and the type of data processed through Cleo’s MFT platform, the compromised data likely includes:

• Full names
• Home and mailing addresses
• Email addresses
• Phone numbers
• Driver’s license numbers
• Payment information, including credit or debit card numbers
• Rental history and travel itineraries

The exposure of this kind of personal data significantly increases the risk of identity theft and fraud. For instance, driver’s license numbers can be used to commit synthetic identity fraud, while contact details can be exploited for phishing scams. In combination, these data points make it easier for attackers to impersonate individuals, open lines of credit, or sell the information on the dark web.

If payment card information was involved, customers could also be vulnerable to financial theft or fraudulent transactions. Even if full credit card numbers were not exposed, partial card data combined with other identifiers can still be exploited.

For those impacted, the effects can be long-lasting. Victims of data breaches often spend months if not years repairing their credit, securing new identification documents, and monitoring for unauthorized use of their personal information.

As of the latest disclosures, Hertz has not confirmed whether any of the stolen data has been misused. This is not uncommon in the early phases of breach investigations. Companies often withhold specifics until forensic analyses are complete or law enforcement grants permission to release more information.

However, in other breaches involving Cl0p, stolen data has been leaked on dark web forums or used to pressure companies into paying ransoms. If Hertz refuses to pay the extortion demand (assuming one was made), the risk of public exposure increases.

Despite the lack of confirmation, affected customers should assume their data is at risk and act accordingly. This includes enrolling in any identity monitoring services offered, reviewing credit reports, and being vigilant for suspicious communications or transactions.

It’s also worth noting that sometimes months pass before stolen data is actively misused. Criminals may wait to sell or use the information until the initial media attention dies down.

Hertz has stated that it is reviewing and strengthening its third-party risk management policies in light of the breach. Specifically, the company is:

• Conducting a full audit of all external vendors, particularly those handling sensitive data.
• Enhancing contractual requirements around cybersecurity standards for third-party providers.
• Implementing continuous monitoring solutions to detect abnormal activity from vendor systems.
• Creating a vendor tiering system to prioritize oversight based on data sensitivity.
• Coordinating with cybersecurity experts to develop improved incident response protocols involving third-party services.

If you're concerned that your personal information may have been exposed in the Hertz data breach, there are several proactive steps you can take to check your status and monitor your data security moving forward.

First, keep an eye on your mailbox and email inbox. Hertz has begun issuing formal breach notifications to customers whose information may have been involved. These notifications typically include information about what was compromised, how it may have happened, and what steps the company is taking. Under U.S. data breach notification laws, companies must notify affected individuals when personal data is involved, usually within a specified period after the breach is discovered.

If you haven’t received a notice but have recently rented from Hertz, especially within the timeframe the breach may have occurred, consider reaching out directly to Hertz customer service. Ask whether your information was potentially part of the breach and if you qualify for any credit monitoring or protection services. You can also visit the company’s website to check for official breach announcements, FAQs, and eligibility forms for free services.

In addition, monitor your financial accounts, credit reports, and other personal records closely. The three major credit bureaus, Equifax, Experian, and TransUnion, each allow you to request a free credit report annually. Look for any suspicious accounts or inquiries that you don’t recognize.

Lastly, sign up for dark web monitoring tools and consider placing a fraud alert or security freeze on your credit file, especially if sensitive information such as your driver’s license number or payment card data was involved. If you’re unsure about next steps, speaking with a data breach attorney can help clarify your rights and whether you’re eligible for compensation.

In response to the breach, Hertz is providing the potentially affected individuals with two years of free identity monitoring or dark web monitoring services.

Affected customers should receive an enrollment code or a link in their breach notification letter or email. It’s important to activate these services promptly. Typically, there’s a deadline by which you must enroll.

Even if you haven't noticed any suspicious activity yet, early enrollment can offer peace of mind. Identity theft can take months to surface, and these services help ensure you’re not blindsided.

If you have trouble signing up or believe you’re eligible but haven’t received information, contact Hertz’s dedicated response hotline or reach out to a data breach attorney. You may still be able to gain access to these services or pursue additional legal remedies.

Remember, these services are not a substitute for personal vigilance. Regularly checking your credit, securing your accounts with strong passwords, and staying aware of phishing tactics remain essential.

If you’ve received a data breach notification from Hertz, your next steps are critical. These letters contain time-sensitive offers for credit monitoring and may serve as important documentation if you decide to pursue legal action.

Here’s what you should do:

1. Read the letter carefully: Identify what types of data were compromised. Some letters may indicate whether it involved your driver’s license number, financial information, or other sensitive identifiers.
2. Enroll in monitoring services: Follow the instructions provided to sign up for free identity and credit monitoring. This is one of the most effective tools for early detection of fraud.
3. Save the documentation: Keep a physical or digital copy of the breach notice. If you file a lawsuit or insurance claim, this will be an important piece of evidence.
4. Check your credit reports: You’re entitled to one free report from each of the three major bureaus (Experian, Equifax, TransUnion) every 12 months. After a breach, consider staggering your requests to monitor changes over time.
5. Place a fraud alert or credit freeze: A fraud alert tells creditors to take extra precautions when verifying your identity. A credit freeze, which can be lifted at any time, prevents new credit accounts from being opened in your name.
6. Monitor your accounts: Keep an eye on your bank and credit card transactions for unauthorized charges. Consider setting up transaction alerts through your bank or card issuer.
7. Report any fraud immediately: If you detect misuse of your information, file a report with the Federal Trade Commission (FTC), contact your bank, and notify the credit bureaus.
8. Speak with an attorney: If your information was misused or if you suffered stress, time loss, or financial damage, you may be eligible for compensation. A data breach lawyer at Morgan & Morgan can help you understand your rights.

Don’t dismiss a breach letter as routine. These notifications often signal serious risk. Acting quickly can help minimize harm and protect your identity in the long run.

At this time, there is no indication that the Hertz data breach will directly affect your ability to rent a vehicle from Hertz or any of its affiliated brands. The breach itself targeted backend data transfer systems and customer information repositories, not the functionality of Hertz’s reservation systems or its ability to process bookings.

Hertz continues to operate normally, and all online and in-person rental channels remain open and active. That said, if you are a victim of the breach and take proactive steps such as freezing your credit or canceling your payment cards, you may experience minor delays or inconveniences when renting. 

If your credit card information was part of the compromised data in the Hertz breach, you should treat your card as potentially unsafe, even if no unauthorized charges have appeared yet. While Hertz has not confirmed that full card numbers were leaked, the nature of file transfer systems like Cleo’s means that transaction and billing data could have been exposed.

The first step is to determine whether your card data was actually compromised. Review any notification from Hertz carefully. If your credit card number or CVV code is mentioned in the notice, contact your bank or credit card issuer immediately. Most banks allow you to request a new card number at no charge and will transfer your existing balance and history to the new account.

Monitor your statements for unauthorized charges. Many credit cards offer real-time transaction alerts that notify you of every purchase. If you don’t already have this feature enabled, now is the time. Small, unfamiliar charges are often the first sign of misuse, as cybercriminals test whether a stolen card is active.

Additionally, use your bank’s online tools to:

• Freeze the card temporarily
• Set up custom spending limits
• Report fraudulent charges instantly

If fraud occurs, federal law limits your liability to $50 for credit cards, and most major issuers offer zero-liability policies. However, debit card protections are more limited and can expose you to greater financial risk.

You should also consider placing a fraud alert or credit freeze on your credit file. A fraud alert requires creditors to take extra steps when verifying your identity. A freeze prevents new accounts from being opened altogether.

In some cases, identity theft protection plans offered by Hertz may include credit card monitoring features. If so, take full advantage of them and understand their terms of service and coverage limits.

Ultimately, if you were affected, it’s safer to cancel and replace your credit card than to risk it being used by someone else. And if any losses do occur due to negligence or delays in notification, legal options may be available to recover your damages.

The Hertz breach, linked to vulnerabilities in Cleo’s file transfer platform, is part of a larger trend involving supply chain attacks and third-party software compromises. It closely mirrors other recent incidents, such as the MOVEit Transfer breach and the Fortra GoAnywhere MFT breach, both of which were also linked to the Cl0p ransomware group.

In the MOVEit attack, for example, Cl0p exploited a zero-day vulnerability in Progress Software’s file transfer tool to exfiltrate data from over 2,000 organizations worldwide. This included government agencies, healthcare systems, financial institutions, and universities. Like Cleo, these platforms are used for transferring sensitive information, making them prime targets for criminal groups.

The key similarity across these breaches is the use of zero-day vulnerabilities in highly trusted third-party software, enabling attackers to steal vast amounts of sensitive data without directly breaching the victim company’s main IT infrastructure. These attacks expose a serious weakness in modern enterprise environments: the heavy reliance on third-party vendors for essential business functions.

The Cl0p group has refined its techniques, using automation to identify vulnerable endpoints, exploit them rapidly, and extract data before companies can respond. In some cases, the group has even developed specialized tools to bypass authentication and extract files en masse.

What makes the Hertz/Cleo breach unique is that it impacted the transportation and rental sector, a space that has seen fewer headline breaches compared to healthcare or finance. However, the implications are just as serious. Customers renting vehicles often provide deeply personal information, including copies of driver’s licenses, payment cards, travel details, and sometimes even passport numbers.

Zero-day vulnerabilities are undiscovered flaws in software or hardware that are unknown to the party responsible for fixing them, often the developer or vendor. 

The term "zero-day" refers to the fact that the vendor has had zero days to address the issue. These flaws can be exploited by hackers to infiltrate systems, steal data, or take control of networks before any fix or patch is available.

Zero-day vulnerabilities are some of the most dangerous in cybersecurity for several reasons:

• No Immediate Defense: Since the vulnerability is unknown, there are typically no existing protections, antivirus definitions, or firewalls that can recognize the attack.
• Widespread Impact: If the affected software is widely used (as in the case of Cleo, MOVEit, or Fortra), the attack can impact hundreds or even thousands of organizations.
• High Value on the Dark Web: Hackers or exploit brokers can sell knowledge of these vulnerabilities to cybercriminal groups or nation-states for large sums of money.
• Long Dwell Times: Exploited zero-day vulnerabilities can allow intrusions to go undetected for weeks or months, prolonging data exposure.

In the Cleo breach, Cl0p actors leveraged a zero-day vulnerability to access data without detection. Because file transfer platforms operate in the background and handle high volumes of sensitive data, they often evade close scrutiny. This makes them ideal targets for sophisticated threat actors who want to maximize damage.

The best defense against zero-days is a combination of proactive vulnerability scanning, real-time threat monitoring, rapid patch management, and least-privilege access controls. Companies should also adopt a zero-trust security framework, which assumes no user or system is trustworthy by default.

The Cl0p ransomware group’s campaign targeting managed file transfer platforms like Cleo, MOVEit, and Fortra had wide-reaching consequences across multiple industries. Because these platforms are widely used to exchange sensitive data between organizations and their vendors, any sector relying on file-based integrations faces serious risks.

Industries most impacted include:

• Healthcare: Patient records, billing information, and insurance data were targeted. Providers and insurers such as HCA Healthcare and Blue Shield were among those affected in earlier Cl0p attacks.
• Government: Numerous federal, state, and local agencies were breached, including departments of transportation, public health, and social services.
• Finance and Insurance: Banks, credit unions, and mortgage providers suffered breaches involving financial records, tax documents, and personally identifiable information (PII).
• Education: Universities and school districts experienced data theft affecting student records, employee files, and research data.
• Transportation and Logistics: Hertz is the most recent and prominent example in this sector, but other transportation firms have also been impacted by Cl0p’s broader campaign.

The reason for this widespread impact is simple: managed file transfer tools are foundational to operations in virtually every major industry. Many companies affected weren’t using MOVEit or Cleo directly but suffered collateral damage because their vendors were. 

The Hertz/Cleo data breach provides a number of takeaways for businesses in every sector:

• Vet third-party vendors rigorously. Ensure any service provider, especially those handling sensitive data, has strong cybersecurity protocols and a history of rapid patch deployment.
• Implement continuous monitoring. Real-time monitoring tools can detect unauthorized data access or unusual network activity before massive data sets are exfiltrated.
• Use a zero-trust security framework. This approach ensures no device or user is trusted by default, reducing the chance of lateral movement once a system is breached.
• Establish incident response playbooks. Quick response is essential. Having a plan that includes vendor breach scenarios can minimize damage and ensure timely customer communication.
• Practice transparency. Delay in notifying affected individuals can lead to greater harm and erode public trust. Prompt disclosures and free support services should be non-negotiable.
• Invest in cybersecurity insurance. While it doesn’t replace strong defenses, it can offset costs associated with breach response, legal action, and customer restitution.

Cleo has acknowledged that its platform was among those targeted in the broader Cl0p ransomware campaign. In response to the attack, Cleo issued a public statement detailing the steps taken to investigate and mitigate the breach.

According to Cleo, they have patched the exploited zero-day vulnerability and released security updates to all clients. They initiated a forensic investigation with third-party cybersecurity experts to understand the scope of the attack.

The company is cooperating with law enforcement and regulatory agencies in an ongoing investigation.

Cleo is working directly with affected clients, including Hertz, to support breach response efforts and assist with customer notifications.

If you believe your personal data was compromised in the Hertz/Cleo data breach, you may be entitled to compensation. Victims of data breaches can suffer significant financial and emotional harm, including identity theft, fraud, lost time, and anxiety.

At Morgan & Morgan, we have a long track record of representing consumers harmed by corporate negligence. We’re already investigating claims related to this incident and are ready to help you understand your legal options.

Don’t wait until your information is misused. If you received a data breach notification from Hertz or suspect your personal information was exposed, contact us right away for a free case evaluation.