Hertz
Clop
Hertz data breach: Cleo zero-day attack exposes customer info. Learn how Clop ra...
Hertz Corporation has confirmed a significant data breach affecting customers of its Hertz, Dollar, and Thrifty car rental brands. The breach, disclosed in April 2025, resulted from zero-day vulnerabilities in the Cleo Communications file transfer platform that the notorious Clop ransomware gang exploited. This comprehensive analysis examines the breach details, affected customer data, Hertz’s response, and the broader implications of the Cleo vulnerability exploitation campaign.
## Hertz Data Breach: Timeline and Scope
Hertz Corporation [confirmed](https://www.hertz.com/content/dam/hertz/global/resources/Notice_of_Data_Incident-United_States.pdf) on February 10, 2025, On February 10, 2025, Hertz Corporation confirmed that customer data was _“acquired by an unauthorized third party”_ that exploited zero-day vulnerabilities in Cleo’s file transfer platform during October and December 2024. After completing its data analysis on April 2, 2025, Hertz determined that various types of customer information had been compromised.
The compromised data includes names, contact information, dates of birth, credit card details, driver’s license information, and workers’ compensation claims records. More sensitive information may have been exposed for a smaller subset of affected individuals, including Social Security numbers, government identification numbers, passport information, Medicare or Medicaid IDs, and injury-related information associated with vehicle accident claims.
While Hertz has not publicly disclosed the total number of affected customers globally, regulatory filings indicate that the breach impacted at least 3,409 Maine residents. The breach appears to have affected customers internationally, with notifications posted on Hertz websites in the United States, Canada, the European Union, the United Kingdom, Australia, and New Zealand.
### Attribution to Clop Ransomware Gang
The attack has been attributed to the [Clop](https://www.secureblink.com/threat-research/clop-ransomware) (also stylized as Cl0p) ransomware group, which has claimed responsibility for exploiting vulnerabilities in Cleo’s managed file transfer products. Following their established pattern, Clop added Hertz to their leak site, making the stolen data available for download.
According to [Malwarebytes Labs](https://www.malwarebytes.com/blog/news/2025/04/hertz-data-breach-caused-by-cl0p-ransomware-attack-on-vendor), the number of available archives for download is "tenfold," suggesting a significant amount of stolen data.
## Cleo Vulnerabilities: Technical Details
The breach stemmed from two critical vulnerabilities in Cleo's file transfer platform, tracked as CVE-2024-50623 and [CVE-2024-55956](https://nvd.nist.gov/vuln/detail/CVE-2024-55956).
These vulnerabilities affected multiple Cleo products, including Cleo Harmony, VLTrader, and LexiCom[7][8].
[CVE-2024-50623](https://nvd.nist.gov/vuln/detail/CVE-2024-50623) involves improper handling of file uploads in the Autorun directory, enabling attackers to upload and execute malicious files on a server[8]. CVE-2024-55956 allows for remote code execution through Autorun, enabling unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host using default settings[8]. This second vulnerability also facilitates the deployment of modular Java backdoors to steal data and conduct lateral movement within networks.
### Pattern of Targeting File Transfer Platforms
This incident represents the latest in a series of attacks by Clop targeting managed file transfer platforms. In 2023, the group executed a similar campaign exploiting vulnerabilities in Progress Software’s MOVEit Transfer tool, which affected hundreds of organizations worldwide[8][7]. Dray Agha, senior manager of security operations at Huntress, noted that the Hertz breach “reflects a growing trend of cyber criminals targeting secure file transfer platforms, which are integral to many organisations’ operations"[8].
## Broader Impact of the Cleo Campaign
The Cleo vulnerabilities exploitation campaign has had far-reaching effects beyond Hertz. Other confirmed victims include [Western Alliance Bank](https://www.secureblink.com/cyber-security-news/hackers-stole-22-k-social-security-numbers-in-a-80-b-bank-scandal), WK Kellogg Company, and Sam's Club. Security researchers at Comparitech have suggested that “many more breach notifications from this exploit" may be forthcoming, as Clop has added over 350 victims to its data leak site[3].
The impact of the Cleo breach has been significant enough to drive a measurable increase in ransomware activity. According to ReliaQuest, the incident fueled a 23% increase in overall ransomware activity between Q4 2024 and Q1 2025[3]. Paul Bischoff, a consumer privacy advocate at Comparitech, told SecurityWeek in March 2025 that hundreds of organizations were likely affected by the Cleo incident.
## Hertz's Response to the Breach
Hertz has emphasized that its own network was not compromised in the attack. "Importantly, to date, our forensic investigation has found no evidence that Hertz's own network was affected by this event," a Hertz spokesperson told SecurityWeek[2][9]. The company has confirmed that Cleo investigated the incident and addressed the identified vulnerabilities.
As part of its response, Hertz has:
1. Reported the incident to law enforcement and relevant regulatory authorities. Filed data breach notifications with the Attorney General’s Offices in several states, including Maine, California, and Vermont. Secured Kroll's services to provide two years of free identity monitoring or dark web monitoring services to potentially affected individuals. Established a dedicated phone line for customers seeking additional information about the breach.
In its notification, Hertz stated: _"While Hertz is not aware of any misuse of personal information for fraudulent purposes in connection with the event, we encourage potentially impacted individuals, as a best practice, to remain vigilant to the possibility of fraud or errors by reviewing account statements and monitoring free credit reports for any unauthorized activity and reporting any such activity"_.
## The Clop Ransomware Gang: Evolution and Tactics
The Clop ransomware gang, also known as TA505 and Cl0p, began operations in March 2019, initially targeting companies with ransomware attacks[9][7]. Since 2020, the group has shifted its focus toward data theft attacks, particularly exploiting zero-day vulnerabilities in secure file transfer platforms.
Clop's attack methodology has evolved to become more systematic and scalable. In 2023, the group “broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits in file sharing software like MOVEit Transfer and GoAnywhere MFT”. The group has continued this approach with the Cleo attacks in 2024.
### Operational Pattern
Clop's operational pattern typically involves:
1. Identifying and exploiting zero-day vulnerabilities in widely used file transfer platforms
2. Mass-exploiting these vulnerabilities to steal data from multiple organizations simultaneously
3. Adding victim companies to their leak site
4. Demanding ransom payments to prevent the public release of the stolen data. Leaking the data of non-paying victims
This evolution from traditional ransomware encryption attacks to data theft and extortion reflects a broader trend in the cybercriminal ecosystem, as noted by security experts[8].
## Recommendations for Affected Customers
Hertz has provided several recommendations for potentially affected individuals to protect themselves against possible fraud or identity theft:
1. Remain vigilant by reviewing account statements and monitoring credit reports for unauthorized activity
2. Consider placing a fraud alert on credit files with the three major credit reporting bureaus (Equifax, Experian, and TransUnion)
3. As an alternative to a fraud alert, consider placing a credit freeze (also known as a security freeze) on credit reports
4. File a police report in the event of identity theft or fraud
5. Report instances of known or suspected identity theft to law enforcement and the relevant state Attorney General
Additionally, affected U.S. residents can sign up for the offered identity monitoring services through Kroll at the designated website: http://hufcuwxgqzil.kroll.com/.
## Broader Implications and Future Concerns
The Hertz data breach illustrates several concerning trends in the cybersecurity landscape:
### Supply Chain Vulnerabilities
The incident highlights the significant risks posed by supply chain vulnerabilities. Even though Hertz’s own network wasn’t directly compromised, the company suffered a major data breach through a third-party vendor. As companies increasingly rely on external partners and services, these interconnections create new attack vectors that can be difficult to secure.
### Targeting of File Transfer Platforms
The continued targeting of file transfer platforms by ransomware groups like Clop represents a strategic focus on critical business infrastructure. These platforms often contain valuable data being transferred between organizations and may not receive the same level of security scrutiny as other systems.
### Scale of Modern Attacks
The Cleo campaign demonstrates how modern ransomware groups have developed capabilities to simultaneously conduct large-scale, automated attacks affecting hundreds of organizations. This represents a significant evolution from earlier, more targeted approaches.
While Hertz has responded with appropriate mitigation measures, including offering identity monitoring services to affected individuals, this breach underscores the growing threat posed by supply chain attacks and the targeting of file transfer platforms. The incident also demonstrates the evolving tactics of ransomware groups, which increasingly focus on data theft and extortion rather than traditional encryption-based attacks.
For affected individuals, maintaining vigilance through regular monitoring of financial accounts and credit reports remains the best defense against potential fraud resulting from this breach.
