A Wake-Up Call for Corporate Cybersecurity
In a troubling development that highlights the growing threat of supply chain vulnerabilities and ransomware gangs, car rental giant Hertz Corporation has confirmed it suffered a data breach. The incident, rooted in a zero-day vulnerability in Cleo’s file transfer software, led to the exposure of customer data across Hertz and its affiliated brands, Thrifty and Dollar.
This breach is part of a larger wave of cyberattacks perpetrated by the Clop ransomware gang, known for targeting organizations through zero-day vulnerabilities in secure file transfer platforms. As these types of attacks become increasingly sophisticated, companies relying on third-party services are finding themselves caught in the crossfire.
Now, with sensitive personal data—ranging from names and
What Happened: Full Breakdown in
Hertz Corporation has disclosed a data breach linked to the exploitation of zero-day vulnerabilities in the Cleo platform, a managed file transfer solution widely used by enterprises.
The attack occurred in two separate instances: October 2024 and December 2024. However, the company only confirmed the breach on February 10, 2025.
The breach affected not only Hertz but also its subsidiary rental brands, Thrifty and Dollar.
Hackers accessed customer data, which may include names, contact information, date of birth, credit card details, driver’s license numbers, and information tied to workers’ compensation claims.
A smaller group of affected individuals may have also had sensitive documents like Social Security numbers, passports, Medicare or Medicaid IDs exposed.
The company hasn’t released the total number of affected customers but confirmed that 3,409 residents in Maine were notified, along with individuals in California and Vermont.
Despite the breach, Hertz claims no misuse of the stolen personal information has been detected—yet.
Clop ransomware group has claimed responsibility and reportedly leaked Hertz’s data on its extortion site.
Clop exploited vulnerabilities in Cleo’s Harmony, VLTrader, and LexiCom platforms to steal sensitive files.
The same group is believed to have stolen data from 66 organizations during this attack campaign.
Among other impacted companies are Western Alliance Bank, WK Kellogg Co, and Sam’s Club.
Clop, also known as TA505 or Cl0p, has shifted from ransomware to data theft and extortion strategies since 2020.
They often target unpatched or unknown zero-day vulnerabilities in widely used software platforms.
Previous Clop campaigns targeted other secure file transfer platforms like MOVEit Transfer, GoAnywhere MFT, and SolarWinds Serv-U.
These attacks have cost businesses millions in ransom and security recovery efforts.
Following the breach, Hertz is offering two years of free identity monitoring services to affected customers.
Customers are also being advised to monitor financial accounts and report suspicious activity.
The breach highlights serious vulnerabilities in third-party software integrations used by enterprise companies.
Security experts believe that the Clop group’s exploitation of zero-day flaws signals a higher level of sophistication in their tactics.
The MITRE ATT&CK framework reveals that a handful of techniques are used in over 90% of major attacks, including those seen here.
Analysts warn that companies relying on cloud-based or managed file transfer platforms should take urgent action to reassess their cybersecurity hygiene.
Hertz’s incident represents the latest in a series of cascading failures in supply chain security.
Cleo has not publicly disclosed the scope of the vulnerability or issued a technical breakdown.
Industry watchdogs are calling for improved standards in secure software development and vulnerability disclosure.
The breach may impact Hertz’s reputation and customer trust in the months to come.
Legal and financial repercussions could follow, especially if identity theft cases emerge.
The Federal Trade Commission may investigate depending on how Hertz handled the data breach internally.
Cyber insurance providers may also scrutinize Hertz’s cybersecurity protocols before approving future claims.
Many believe that tighter regulations around third-party software use are now inevitable.
What Undercode Say:
The Hertz data breach is a textbook case of modern cybersecurity risk stemming from third-party software vulnerabilities. In this case, Cleo’s file transfer software became the weak link, and Hertz’s reliance on it opened the floodgates for the Clop ransomware group. The attack wasn’t a standalone event—it was part of a broader, highly coordinated campaign that exploited zero-day vulnerabilities to access confidential enterprise data.
This signals an urgent need for corporations to rethink how they assess vendor risk. It’s no longer enough to assume that because software is widely used, it’s inherently secure. The fact that Cleo’s platform is trusted by numerous companies didn’t prevent Clop from exploiting a flaw that had gone undetected by traditional security mechanisms.
Hertz’s response—offering identity monitoring and notifying affected users—is commendable, but it doesn’t erase the reality that customer data was exfiltrated and potentially exposed on dark web forums or extortion sites. This is about more than just PR damage; it’s about long-term consequences for consumer trust and regulatory scrutiny.
Another pressing concern is the timeline. The attacks occurred in October and December of 2024, but weren’t confirmed until February 2025. That delay could be critical. In the world of cybercrime, even a few days can make the difference between containment and catastrophe. It suggests a possible gap in Hertz’s ability to detect breaches early—something that will likely be examined in regulatory investigations.
The Clop group’s pivot from traditional ransomware to pure data theft is also noteworthy. By bypassing encryption and focusing on theft and extortion, they reduce their operational risk while maximizing pressure on victims. This trend shows how ransomware gangs are evolving in real-time, and why defensive strategies must also evolve.
In terms of legal exposure, Hertz may face class-action lawsuits if identity theft or fraud cases emerge. Even if the number of affected individuals is “small” by corporate standards, each individual represents a potential legal risk.
This breach also reminds us that cybersecurity
Looking ahead, companies must invest in proactive security measures, including vulnerability scanning, zero-trust architecture, and real-time threat intelligence. Periodic audits of third-party vendors, mandatory patch cycles, and secure software development life cycles (SSDLC) must become standard practice.
The question now is not if another breach will happen, but when—and whether companies will be better prepared the next time. The Hertz incident is just another reminder that in the digital age, data is currency—and protecting it must be a top priority.
Fact Checker Results:
- Hertz confirmed a data breach tied to zero-day vulnerabilities in Cleo software exploited in late 2024.
- Over 3,400 people in Maine alone were affected, with other states also impacted.
- The Clop ransomware group has claimed responsibility, linking this to a larger campaign targeting 66 companies.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.github.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
