Data leak: Car rental company Hertz ends investigation
In January, car rental company Hertz was blackmailed with the publication of stolen data. Now the company is explaining itself.
Hertz branch in Great Britain.
(Image: Hertz)
The car rental company Hertz and 59 other companies were blackmailed in January 2025 with the publication of sensitive data on the dark net. The company has now admitted to the data theft and presented the initial results of investigations.
In a recently published document, Hertz explains the incident. “Cleo is a provider that provides a data transfer platform that Hertz uses for limited purposes,” the company writes. “On February 10, 2025, we were able to confirm that data from Hertz was obtained by unauthorized third parties who, according to our findings, abused zero-day vulnerabilities in the Cleo platform in October 2024 and December 2024”.
Investigations initiated
Hertz immediately analyzed the data to determine the extent of the event and identify the individuals whose personal information may have been affected by the event. “We completed the analysis on April 2, 2025, and concluded that the personal data of individuals from the EU affected by the incident may include name, contact details, date of birth, driver's license data and payment card data. For a small number of affected individuals, ID data may also be affected by the incident,” Hertz continues.
Videos by heise
Hertz has ensured that Cleo has taken steps to investigate the incident and address the identified vulnerabilities, it added. Law enforcement authorities have already been informed, and the relevant regulatory authorities are currently being notified. The car rental company has also commissioned the company Kroll to carry out dark net monitoring of the data of those affected. Although the company is not aware of any cases of misuse of the leaked information, those affected should exercise caution to avoid falling victim to fraud. They should also check account statements and credit reports for unauthorized activities.
In January, the cyber gang Cl0p broke into many companies through a security gap in the Cleo data transfer software and then copied some sensitive data. The criminal group's business model is to blackmail affected companies by threatening to publish the copied data if the companies do not pay.
(dmk)
