Hertz warns UK clients of Cleo-linked knowledge breach
Automobile rent big Hertz has disclosed a worldwide knowledge breach affecting the UK and different main markets, after turning into embroiled in a severe compromise of Cleo Communications’ suite of managed file switch (MFT) merchandise by the Clop (aka Cl0p) ransomware gang.
Though dad or mum Hertz Company – which apart from the eponymous rental agency operates the Greenback and Thrifty manufacturers – was earlier named by Clop on its leak web site, the organisation had beforehand mentioned there was no proof of an intrusion.
In its newest discover, it didn’t identify Clop or formally disclose an extortion or ransomware assault, however revealed that it appeared the incident had affected the private data of sure people.
A spokesperson mentioned: “On 10 February 2025, we confirmed that Hertz knowledge was acquired by an unauthorised third occasion that we perceive exploited zero-day vulnerabilities inside Cleo’s platform in October 2024 and December 2024. Hertz instantly started analysing the info to find out the scope of the occasion and to establish people whose private data could have been impacted.
“We accomplished this knowledge evaluation on 2 April 2025, and concluded that the private data concerned on this occasion could embrace the next concerning UK people: identify, contact data, date of delivery, driver’s license data and fee card data.”
Hertz has reported the incident to regulation enforcement and is within the strategy of participating related nationwide regulators. It’s also working with Kroll to supply two years of free id monitoring providers to probably affected people. This supply can be being made out there to affected clients within the US – the place different knowledge together with social safety numbers, in addition to Medicare and Medicaid identification, has additionally been affected.
Prospects in Australia, Canada, the European Union (EU) and New Zealand also can seek the advice of localised notices for additional steering.
US-based Cleo has change into the most recent in a protracted line of file switch providers and instruments to have been focused by Clop – most likely essentially the most notable of those being the compromise of Progress Software program’s MOVEit software within the spring of 2023.
Its Cleo assaults arose by way of two frequent vulnerabilities and exposures (CVEs) tracked as CVE-2024-50623 and CVE-2024-55956 in its Concord, VLTrader and LexiCom merchandise.
The primary of those arises by way of improper dealing with of file uploads within the Autorun listing, which permits an attacker to add malicious recordsdata to a server and execute them. The second permits distant code execution (RCE) by way of Autorun by enabling an unauthenticated person to import and execute arbitrary Bash or PowerShell instructions on the host utilizing default settings. It additionally lets an attacker deploy modular Java backdoors to steal knowledge and conduct lateral motion.
Dray Agha, senior supervisor of safety operations at Huntress, which has been on the forefront of monitoring the Cleo incident because the vulnerabilities first surfaced, mentioned: “The Hertz knowledge breach underscores the numerous dangers posed by unpatched zero-day vulnerabilities in extensively used third-party platforms like Cleo. This highlights the significance of sustaining sturdy vulnerability administration programmes to establish and handle safety gaps in software program promptly, particularly these used for delicate knowledge switch.
“The breach additionally displays a rising development of cyber criminals concentrating on safe file switch platforms, that are integral to many organisations’ operations. The evolving techniques of ransomware teams shift focus from encryption to knowledge theft and extortion, sign the necessity for complete cyber safety methods, together with encryption of delicate knowledge at relaxation and in transit, and heightened monitoring of exterior connections.”
