Skip to main content
close search
site logo

Hertz says personal data breached in connection with Cleo file-transfer flaws

The company is the latest organization to investigate or disclose an incident linked to a monthslong attack spree.

Published April 15, 2025
David Jones's headshot
Reporter
A gray four-door crossover vehicle with a woman seated with her hand on the steering wheel is parked in front of a Hertz building.
A person is seated in a four-door crossover vehicle parked in front of a Hertz building. Hertz disclosed a data breach in connection with vulnerabilities in Cleo file-transfer software. Courtesy of Hertz/GM

Hertz Corp. confirmed a threat actor gained access to sensitive personal data in a breach linked to vulnerabilities in Cleo file-transfer software, according to a filing Friday with the Maine Attorney General’s office. 

Hertz said it learned on Feb. 10 that an unauthorized third party obtained the data in connection with an attack spree that took place between October and December 2024. Hertz completed an analysis of the stolen data on April 2. 

“Importantly, to date, our investigation has found no evidence that Hertz’s own network was affected by this event,” a Hertz spokesperson said via email. 

According to the filing, more than 3,400 Maine residents were impacted by the breach. Maine usually discloses the total number of people affected by breaches, but Hertz’s filing discloses only those affected within the state. 

Hertz said it has reported the incident to law enforcement and was in the process of notifying relevant regulatory authorities. Hertz is a publicly traded company, but it is not immediately clear whether a filing with the U.S. Securities and Exchange Commission has been made or is necessary. 

Companies must disclose within four business days of whether an incident is considered material to financial performance.

The Hertz parent company includes the Hertz, Dollar and Thrifty rental car brands. The company reported $9 billion in revenue in 2024.

Hertz said it was among many companies affected by the attack. 

As previously reported, Clop ransomware claimed credit for an attack spree related to vulnerabilities in the file-transfer software. 

The company disclosed critical flaws in Cleo Harmony, VLTrader and Lexicon in December. The flaws were tracked as CVE-2024-50623, an unrestricted file upload and download vulnerability,  and CVE-2024-55956, which allows an unauthenticated user to import and execute arbitrary bash or PowerShell commands on a host system. 

Just last week, breakfast cereal giant WK Kellogg confirmed a breach of employee data was linked to the Cleo vulnerabilities. 

Sam’s Club, a unit of Walmart, previously said it was investigating a possible attack after the company name was listed on a Clop leak site. 

Hertz was also listed on the Clop leak site, researchers at Huntress confirmed. It is not immediately clear whether Clop made any type of ransom demands against Hertz. 

As previously reported, Clop listed dozens of companies on its leak site in connection with the attack spree. 

Clop is considered one of the most prolific threat groups in history, as it was behind another massive attack spree in 2023 in connection with vulnerabilities in MOVE-it file-transfer software.

Editors' picks

Company Announcements

View all | Post a press release
GitGuardian Launches NHI Governance: Bringing Order to the Chaos of Non-Human Identity Security
From GitGuardian
April 15, 2025
12th Annual Edition of the BeyondTrust Microsoft Vulnerabilities Report Reveals Record-Breakin…
From BeyondTrust
April 15, 2025
As Attacks Grow on Critical Infrastructure, New RunSafe Tool Scores Hidden Threats in Embedded…
From RunSafe Security
April 07, 2025
Monro Data Breach Investigation
From Migliaccio & Rathod LLP
March 26, 2025
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.