Car hire giant Hertz has disclosed a worldwide data breach affecting the UK and other major markets, after becoming embroiled in a serious compromise of Cleo Communications’ suite of managed file transfer (MFT) products by the Clop (aka Cl0p) ransomware gang.
Although parent Hertz Corporation – which besides the eponymous rental firm operates the Dollar and Thrifty brands – was earlier named by Clop on its leak site, the organisation had previously said there was no evidence of an intrusion.
In its latest notice, it did not name Clop or officially disclose an extortion or ransomware attack, but revealed that it appeared the incident had affected the personal information of certain individuals.
A spokesperson said: “On 10 February 2025, we confirmed that Hertz data was acquired by an unauthorised third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024. Hertz immediately began analysing the data to determine the scope of the event and to identify individuals whose personal information may have been impacted.
“We completed this data analysis on 2 April 2025, and concluded that the personal information involved in this event may include the following regarding UK individuals: name, contact information, date of birth, driver’s license information and payment card information.”
Hertz has reported the incident to law enforcement and is in the process of engaging relevant national regulators. It is also working with Kroll to provide two years of free identity monitoring services to potentially affected individuals. This offer is also being made available to affected customers in the US – where other data including social security numbers, as well as Medicare and Medicaid identification, has also been affected.
Customers in Australia, Canada, the European Union (EU) and New Zealand can also consult localised notices for further guidance.
US-based Cleo has become the latest in a long line of file transfer services and tools to have been targeted by Clop – probably the most notable of these being the compromise of Progress Software’s MOVEit tool in the spring of 2023.
Its Cleo attacks arose through two common vulnerabilities and exposures (CVEs) tracked as CVE-2024-50623 and CVE-2024-55956 in its Harmony, VLTrader and LexiCom products.
The first of these arises through improper handling of file uploads in the Autorun directory, which enables an attacker to upload malicious files to a server and execute them. The second enables remote code execution (RCE) through Autorun by enabling an unauthenticated user to import and execute arbitrary Bash or PowerShell commands on the host using default settings. It also lets an attacker deploy modular Java backdoors to steal data and conduct lateral movement.
Dray Agha, senior manager of security operations at Huntress, which has been at the forefront of tracking the Cleo incident since the vulnerabilities first surfaced, said: “The Hertz data breach underscores the significant risks posed by unpatched zero-day vulnerabilities in widely used third-party platforms like Cleo. This highlights the importance of maintaining robust vulnerability management programmes to identify and address security gaps in software promptly, especially those used for sensitive data transfer.
“The breach also reflects a growing trend of cyber criminals targeting secure file transfer platforms, which are integral to many organisations’ operations. The evolving tactics of ransomware groups shift focus from encryption to data theft and extortion, signal the need for comprehensive cyber security strategies, including encryption of sensitive data at rest and in transit, and heightened monitoring of external connections.”
