Hertz Data Breach Exposes Sensitive Personally Identifiable Information

On February 10, 2025, Hertz System, Inc. confirmed that personal information belonging to individuals associated with Hertz Rental Car, Dollar, and Thrifty brands was compromised due to a security incident involving their vendor, Cleo Communications US, LLC. Cleo provides a file transfer platform used by Hertz.

The breach occurred when an unauthorized third party exploited zero-day vulnerabilities in Cleo's platform during two separate incidents in October 2024 and December 2024. Zero-day vulnerabilities are previously unknown software flaws that attackers exploit before developers become aware of them, making them particularly dangerous and difficult to prevent.

Following the discovery of the breach, Hertz began analyzing the impacted data to determine the scope of the incident and identify affected individuals. This analysis was completed on April 2, 2025, revealing that the breach potentially exposed a wide range of sensitive personal information.

The types of personally identifiable information (PII) compromised include names, contact information, dates of birth, credit card details, and driver's license information. Additionally, some individuals' Social Security numbers, government identification numbers, and passport information were exposed.

Protected health information (PHI) was also involved for a small number of individuals, including Medicare or Medicaid IDs associated with workers' compensation claims, as well as injury-related information from vehicle accident claims.

At this time, Hertz has not disclosed the exact number of individuals affected by this breach. However, given the extensive nature of the exposed data, individuals whose information was compromised are at increased risk of identity theft, financial fraud, and potential misuse of their health information.

Hertz's response

To assist those potentially impacted, Hertz has partnered with Kroll to offer two years of complimentary identity monitoring and dark web monitoring services. Affected individuals residing in the United States can sign up for these monitoring services by visiting the dedicated identity monitoring enrollment page.

Although Hertz has not yet found evidence of misuse of the compromised information, individuals potentially impacted by this breach should remain vigilant. It is recommended that affected individuals review their financial account statements regularly, closely monitor their credit reports, and immediately report any suspicious or unauthorized activities.

Under federal law, individuals are entitled to one free credit report annually from each of the three major credit reporting agencies. To request a free credit report, visit Annual Credit Report or call 1-877-322-8228.

Individuals concerned about potential identity theft can also place a fraud alert or a credit freeze on their credit files by contacting any one of the three major credit bureaus: Equifax, Experian, or TransUnion.

For additional guidance on identity theft prevention and response, individuals can contact the Federal Trade Commission's Identity Theft Clearinghouse or their respective state Attorney General's office.

For more information about Hertz, visit the company's official website at Hertz.com.