Hackers have hacked the Cleo file-sharing platform, through which the personal data of at least 100 thousand Hertz users was leaked, including driver’s license numbers, social security and payment information. The company has already sent out notifications and offered personal protection services to the victims.
The attack took place in the fall of 2024, but Hertz only discovered the hack in February 2025. The hackers took advantage of a zero-day vulnerability in the Cleo platform, which the company uses for limited tasks. While Hertz’s internal network itself was not affected, data was stolen from third-party infrastructure related to file transfers.
According to official figures, at least 96,665 people in Texas and 3,409 in Maine were affected by the breach. Given Hertz’s scale as an international retailer, the total number of victims could exceed 100,000.
The stolen information included contact information, credit card details, driver’s licenses, ID documents, as well as insurance and compensation case data, including traffic accident data.
Cleo is a popular B2B file sharing platform used by large corporations. The same hack has previously affected WK Kellogg, Western Alliance Bank, and a number of other companies, including HPE and Thomson Reuters. In October 2024, the Clop group announced the exploitation of a vulnerability in Cleo, adding Hertz to the list of victims. Although Hertz representatives would not confirm the scale of the attack, independent analysts assume that it was a mass compromise. All victims received an offer of two-year personal protection through Kroll.
The Hertz incident is another example of how chain vulnerabilities in third-party software can turn into a large-scale data leak even with internal protection. Companies that rely on external services should not only regularly test their integrations, but also have a rapid response plan in case of an attack through partners.
111 
78 
81 