Car hire company Hertz disclosed that customer data was compromised during last year’s zero-day data breaches on Cleo file transfer products. The breach notification was issued on behalf of Hertz, Dollar, and Thrifty brands, indicating that customers of all three car hire businesses owned by Hertz Corporation were impacted.
Although Hertz did not reveal the exact number of customers affected, they confirmed that names, contact information, dates of birth, credit card details, driver’s license information, and information related to workers’ compensation claims were among the data stolen. Additionally, a subset of customers may have had more sensitive information exposed, such as Social Security or other government identification numbers, passport details, Medicare or Medicaid IDs, and injury-related information associated with vehicle accident claims.
The theft of Medicare data by a car hire company may seem unusual, but it was linked to workers’ compensation claims. The files were extracted from a Cleo file transfer product utilized by Hertz for specific purposes, although the company did not specify which product was affected.
At the time of the data breaches last year, Cleo had patched its Harmony, VLTrader, and LexiCom products against known vulnerabilities. The cybercrime group Cl0p claimed responsibility for the attacks, which reportedly affected around 70 organizations.
Hertz’s notification letter emphasized the company’s commitment to data privacy and security. They stated that Cleo had taken steps to investigate the breach and addressed the vulnerabilities. Law enforcement was notified, and relevant regulators will also be informed about the incident. Despite no evidence of misuse of stolen data, Hertz urged customers to remain vigilant for any fraudulent activities on their accounts.
As a precautionary measure, Hertz enlisted Kroll to provide affected individuals with two years of identity monitoring or dark web monitoring services. While most organizations impacted by the Cleo attacks have not publicly acknowledged the breaches, German manufacturer Covestro confirmed a successful attack.
In conclusion, the breach of customer data at Hertz due to the Cleo file transfer product vulnerabilities underscores the importance of robust cybersecurity measures to protect sensitive information. As companies continue to face cyber threats, it remains crucial for organizations to prioritize data security and promptly address any potential vulnerabilities to safeguard customer data.