Car rental giant Hertz is alerting customers that personal information including credit card details and Social Security numbers may have been stolen in a data breach that impacted one of the firm’s vendors. In a notice posted to its website, Hertz says that company data “was acquired by an unauthorized third-party” during a cyberattack exploiting zero-day vulnerabilities within the Cleo Communications file transfer platform between October 2024 and December 2024.

The data theft was confirmed by Hertz on February 10th, with further analysis on April 2nd concluding that customers’ names, contact information, dates of birth, credit card information, driver’s license details, and information related to workers’ compensation claims may have been exposed by the breach. Hertz also says that “a very small number of individuals” had their Social Security numbers taken in the breach, along with passport numbers and other government-issued identification data.

Hertz says that the incident is being reported to law enforcement and relevant regulators, and that Cleo has since addressed “the identified vulnerabilities.”

The website notice is viewable across multiple regions, including the US, Canada, the European Union, the United Kingdom, and Australia. Hertz has not revealed how many of its customers have been impacted by the breach but says it is “not aware of any misuse of personal information for fraudulent purposes in connection with the event.” We have asked Hertz to clarify how many customers are affected.

The group or individual responsible for the cyberattack has not been identified. Cleo, which is used by a wide range of global organizations, was notably targeted by a mass-hacking campaign in October last year. The Russia-affiliated Clop ransomware gang later claimed responsibility for those attacks, leaking Cleo company data on its extortion site and listing 59 organizations it claimed to have breached via vulnerabilities in Cleo’s platform.