Hertz corporation confirms data breach affecting customers of multiple car rental brands

The Hertz Corporation has confirmed a significant data breach affecting customers of its Hertz, Thrifty, and Dollar rental car brands. According to a notification released by the company, customer information was stolen as part of the Cleo zero-day data theft attacks that occurred in late 2024.

The company discovered the breach on February 10, 2025, confirming that an "unauthorized third party" had exploited zero-day vulnerabilities within the Cleo platform during October and December 2024. After discovering the breach, Hertz immediately began analyzing the compromised data to determine the full scope of the incident and identify affected individuals. The exposed data includes

• Customer names
• Contact information
• Dates of birth
• Credit card information
• Driver's license information
• Information related to workers' compensation claims
• Social Security numbers
• Government identification numbers
• Passport information
• Medicare or Medicaid IDs (associated with workers' compensation claims)
• Injury-related information associated with vehicle accident claims

Hertz has not disclosed the total number of affected individuals. Maine's Attorney General's Office reports that 3,409 residents of that state alone are receiving breach notifications. The company has also filed notifications with authorities in California and Vermont, but these states do not report specific numbers of affected residents.

Hertz is offering impacted customers two years of free identity monitoring services. The company states that it has not detected "any misuse of personal information for fraudulent purposes" thus far.

Update - Hertz has published notices aimed at customers in the US, EU, Canada, UK and Australia.
According to those notices, the following type of information was compromised:

• US individuals: name, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims compromised. “A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event,” Hertz added
• UK individuals: name, contact information, date of birth, driver’s license information and payment card information
• Canadian individuals: name, contact information, date of birth, credit card information and driver’s license information. Some of them “may have had their government identification numbers, injury-related information associated with vehicle accident claims or information related to worker’s compensation claims” compromised
• Australian and EU individuals: name, contact information, date of birth, driver’s license information and payment card information. Some of them may have had their passport information compromised

As of 16th of April Hertz reports that 96,665 residents of Texas were affected, apart from the already reported 3,409 residents of Maine. The total global impact is not disclosed