Car rental service Hertz has provided notice of a data breach potentially affecting customer information. According to a filing with the Maine Attorney General’s office, the breach is connected to Cleo file-transfer software vulnerabilities. It is currently understood that the malicious actors leveraged zero-day vulnerabilities in order to gain access. 

The organization learned of the breach on February 10, 2025, determining that data was accessed by malicious actors. According to the notice, the company immediately enacted investigative measures to determine the scope of the incident as well as the individuals impacted. 

The investigation found that the following personal information may have been compromised: 

• Names
• Dates of birth
• Contact information
• Credit card details 
• Driver’s licenses 
• Workers’ compensation claim data 

Thomas Richards, Infrastructure Security Practice Director at Black Duck, remarks, “It’s incredibly unfortunate that customers had their sensitive information compromised in such an attack. Data is a form of currency for cybercriminals, and therefore it is essential that all organizations harboring sensitive information manage their software risk by taking measures to improve their cybersecurity posture to prevent a compromise like this from happening again.”