American car rental giant Hertz says personal information of Australian customers, including information from passports, driver licences, and payment cards, appear to have been compromised in a data breach involving one of its third-party vendors.
The company announced details of the breach on Tuesday and said it would also impact customers of its other car rental brands Thrifty and Dollar, including in other global markets.
The breach allegedly occurred during cyberattacks on US supply chain software company Cleo between October and December 2024.
Hertz used Cleo’s file transfer platform “for limited purposes”, the company said in a data breach notification.
Zero-day vulnerabilities exploited
Hertz said it confirmed on 10 February 2025 that Hertz data had been “acquired by an unauthorised third party that we understand exploited zero-day vulnerabilities within Cleo’s platform”.
Zero-day vulnerabilities are high-risk security flaws often targeted by cybercriminals because the owner of the system being attacked is not aware of the security issues.
“Hertz immediately began analysing the data to determine the scope of the event and to identify individuals whose personal information may have been impacted,” the company said.
Hertz said it finished its analysis on 2 April, and found the personal information involved in the breach "may include" Australian individuals' "name, contact information, date of birth, driver licence information and payment card information".
“A very small number” of people may have also had their passport information compromised, Hertz added.
The company has also disclosed details of the breach to other customers in New Zealand, the United States, Canada, the European Union, and the United Kingdom.
Customers told to ‘remain vigilant’
Hertz said it was “not aware of any misuse of personal information for fraudulent purposes” following the Cleo breach.
However, Russian-speaking ransomware gang Clop has previously leaked alleged data from Hertz and other companies on its extortion site, and has claimed responsibility for exploiting vulnerabilities in Cleo’s file transfer platforms.
Hertz has encouraged potentially impacted customers to “remain vigilant to the possibility of fraud or errors by reviewing account statements and monitoring credit reports for any unauthorised activity and reporting any such activity”.
The company said it did not have any evidence to suggest its own computer networks had been affected.
Hertz said it was reporting the Cleo event to law enforcement and industry regulators, and had confirmed with Cleo that it had addressed the vulnerabilities.
Concerned customers could contact Hertz during UK business hours on +44 20 3807 8188, the company said.
Potentially impacted customers would be able to use identity monitoring services provided by the company Kroll for two years at no cost, Hertz added.
Cleo is yet to publicly comment on the incident.
