Hertz customer data stolen in breach, possibly including licenses, social security numbers

This week car rental company Hertz notified its users of a wide-ranging data breach that exposed some customers' personal information.

On Monday, April 14, TechCrunch reported the appearance of a Notice of Data Incident on the Hertz website. According to the notice, personal information including names, contact information, date of birth, credit card information, driver's license information, and "information related to workers' compensation claims" were potentially exposed in the data breach through an external vendor named Cleo.

Additionally, Social Security numbers, government IDs, passport information, Medicare or Medicaid IDs, and medical information from car accident claims may also have been stolen from "a very small number of individuals," said the notice.

Hertz discovered the breach on February 10, and customer data was stolen in October 2024 and December 2024.

The notice did not say how many customers had their personal information exposed. However, according to a copy of the notice issued to Maine residents (published by the Office of the Maine Attorney General), the breach affected 3,409 customers in Maine alone. That means the true number of impacted individuals is likely far larger, especially considering that notices were also issued to customers in Australia, Canada, New Zealand, the United Kingdom, and beyond.

A spokesperson for Hertz declined to share specific numbers but said "it would be inaccurate to say millions of customers are affected."

The breach came from a Hertz vendor called Cleo, which manages file-sharing platforms for the company. "On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024," read the notice. Hertz didn't provide any further specifics about the hack or hackers, but during those same months, cybersecurity firm Huntress reported "evidence of threat actors exploiting this [Cleo software]." Around that same time, ransomware group Clop claimed responsibility for data theft attacks targeting Cleo's servers.

In the notice, Hertz said it was "not aware of any misuse of personal information for fraudulent purposes in connection with the event." But it encouraged customers to "remain vigilant" of any instances of data breaches and shared resources on how to monitor account statements and credit reports, including how to place a fraud alert or credit freeze on their accounts. Some Hertz customers will also be offered "two years of identity monitoring services" free of charge.

UPDATE: Apr. 15, 2025, 5:30 p.m. EDT This story has been updated with new information from a Hertz representative.