Automotive rental big Hertz has begun notifying its prospects of a data breach that included their private info and driver’s licenses.
The rental firm, which additionally owns the Greenback and Thrifty manufacturers, stated in notices on its web site that the breach pertains to a cyberattack on one among its distributors between October 2024 and December 2024.
The stolen information varies by area, however largely consists of Hertz buyer names, dates of beginning, contact info, driver’s licenses, cost card info, and employees’ compensation claims. Hertz stated a smaller variety of prospects had their Social Safety numbers taken within the breach, together with different government-issued identification numbers.
Notices on Hertz’s web sites disclosed the breach to prospects in Australia, Canada, the European Union, New Zealand, the UK.
Hertz additionally disclosed the breach with a number of U.S. states, together with California and Maine. Hertz stated not less than 3,400 prospects in Maine have been affected, however didn’t listing the whole variety of affected people, which is prone to be considerably increased.
Emily Spencer, a spokesperson for Hertz, wouldn’t present information.killnetswitch with a selected variety of people affected by the breach however stated it might be “inaccurate to say tens of millions” of consumers are affected.
The corporate attributed the breach to a vendor, Cleo Software program, which final yr was on the middle of a mass-hacking marketing campaign by a prolific Russia-linked ransomware gang.
Hertz is one among dozens of corporations that used Cleo Software program on the time of their information thefts. The Clop ransomware gang claimed final yr to have exploited a zero-day vulnerability in Cleo’s extensively used enterprise file switch merchandise, which permit corporations to share giant units of delicate information over the web. By breaching these techniques, the hackers stole reams of information from Cleo’s company prospects.
Quickly after, the Clop ransomware gang claimed on its darkish internet leak website that it stole information from near 60 corporations by exploiting the bug of their Cleo techniques. In a later submit, Clop claimed dozens extra alleged company victims.
The information extortion marketing campaign turned probably the most notable mass-hacks of 2024.
On the time, Hertz, which was named on Clop’s website, stated it had “no proof” that Hertz information or Hertz techniques have been affected.
On Monday, Hertz’s spokesperson informed information.killnetswitch it discovered no proof that Hertz’s personal community was affected by the breach, however confirmed that Hertz information “was acquired by an unauthorized third celebration that we perceive exploited zero-day vulnerabilities inside Cleo’s platform in October 2024 and December 2024.”
A Cleo government didn’t reply to information.killnetswitch’s inquiry on Monday.
