Automobile rental large Hertz has begun notifying its prospects of a knowledge breach that included their private data and driver’s licenses.
The rental firm, which additionally owns the Greenback and Thrifty manufacturers, stated in notices on its website that the breach pertains to a cyberattack on one among its distributors between October 2024 and December 2024.
The stolen knowledge varies by area, however largely contains Hertz buyer names, dates of delivery, contact data, driver’s licenses, fee card data, and employees’ compensation claims. Hertz stated a smaller variety of prospects had their Social Safety numbers taken within the breach, together with different government-issued identification numbers.
Notices on Hertz’s web sites disclosed the breach to prospects in Australia, Canada, the European Union, New Zealand, the United Kingdom.
Hertz additionally disclosed the breach with a number of U.S. states, together with California and Maine. Hertz stated at the least 3,400 prospects in Maine have been affected, however didn’t record the overall variety of affected people, which is prone to be considerably greater.
Emily Spencer, a spokesperson for Hertz, wouldn’t present TechCrunch with a selected variety of people affected by the breach however stated it could be “inaccurate to say thousands and thousands” of consumers are affected.
The corporate attributed the breach to a vendor, Cleo Software program, which final 12 months was on the middle of a mass-hacking marketing campaign by a prolific Russia-linked ransomware gang.
Hertz is one among dozens of corporations that used Cleo Software program on the time of their knowledge thefts. The Clop ransomware gang claimed final 12 months to have exploited a zero-day vulnerability in Cleo’s extensively used enterprise file switch merchandise, which permit corporations to share giant units of delicate knowledge over the web. By breaching these methods, the hackers stole reams of knowledge from Cleo’s company prospects.
Quickly after, the Clop ransomware gang claimed on its darkish internet leak web site that it stole knowledge from near 60 corporations by exploiting the bug of their Cleo methods. In a later publish, Clop claimed dozens extra alleged company victims.
The info extortion marketing campaign grew to become some of the notable mass-hacks of 2024.
On the time, Hertz, which was named on Clop’s web site, stated it had “no proof” that Hertz knowledge or Hertz methods have been affected.
On Monday, Hertz’s spokesperson instructed TechCrunch it discovered no proof that Hertz’s personal community was affected by the breach, however confirmed that Hertz knowledge “was acquired by an unauthorized third get together that we perceive exploited zero-day vulnerabilities inside Cleo’s platform in October 2024 and December 2024.”
A Cleo government didn’t reply to TechCrunch’s inquiry on Monday.