Hertz Data Breach, Caused by Cl0p Ransomware Attack on Cleo Vendor

• Cl0p Ransomware was revealed to be behind the recent Hertz Corporation data breach that exposed sensitive information.
• Hertz was working with third-party company Cleo, which suffered a massive compromise in 2024.
• Details like names, contact information, driver’s licenses, and more were impacted.

Hertz Corporation, the globally recognized car rental company operating brands like Hertz, Dollar, and Thrifty, has confirmed a significant data breach stemming from vulnerabilities in the Cleo file transfer platform. This security incident was linked to the notorious Cl0p ransomware group.  

Two zero-day vulnerabilities in Cleo’s file transfer products (CVE-2024-50623 and CVE-2024-55956) were exploited by Cl0p during October and December 2024. Hertz confirmed the breach in February 2025 and initiated customer notifications this month. 

Hertz utilized Cleo for limited purposes, yet the attack led to the exfiltration of sensitive data, including names, birth dates, addresses, driver’s license numbers, and credit card details.  

A smaller subset of customers also experienced exposure of highly sensitive information like Social Security numbers, passport details, Medicare or Medicaid IDs, and workers' compensation-related data. 

Cl0p employed automated, zero-day exploit campaigns on Cleo's managed file transfer (MFT) solutions, such as Harmony, VLTrader, and LexiCom. 

Cl0p has added stolen data from these organizations to its Tor-based leak site, making parts of the breached data available for download. Hertz's notification to the Maine Attorney General reveals that 3,409 Maine residents were affected, further highlighting the scope.  

Hertz has committed to supporting affected customers by offering two years of free identity and dark web monitoring through Kroll. The company states there is no evidence of fraudulent use of the stolen data and its own network systems were uncompromised during the Cleo breach. 

The breach has reportedly impacted over 70 organizations worldwide, with Hertz being one of the high-profile victims. Other companies affected by the Cleo security incident and extorted by Cl0pRansomware are Kellogg's and Walmart-owned Sam’s Club.

In 2023, the Cl0p gang deployed attacks based on zero-day exploits in file-sharing software like MOVEit Transfer and GoAnywhere MFT.