Hertz Reports Data Breach Associated with Vendor Cleo Communications

Key Takeaways

• Vendor-Related Breach: A vulnerability in Cleo Communications' platform exposed sensitive data, including contact information, credit card details, and in some cases, Social Security and passport numbers.
• No Evidence of Fraud: Although no fraudulent use of the compromised data has been reported, Hertz is proactively offering free identity protection services to those affected.
• Third-Party Vendor Risk: This breach underscores the importance of thoroughly assessing and securing third-party vendors to prevent vulnerabilities from affecting your organization.

Deep Dive

Hertz has recently announced that the company is grappling with a data breach that stemmed from a vendor, Cleo Communications US, LLC. This breach, involving a file transfer platform used by Hertz, further demonstrates the vulnerabilities that third-party vendors can introduce to an organization’s data security.

The issue surfaced when Hertz discovered on February 10, 2025, that an unauthorized third party had accessed data through a vulnerability in Cleo’s platform. The culprit? Zero-day vulnerabilities—those that were exploited between October and December of 2024. As soon as Hertz was made aware, the company initiated a thorough investigation to assess the situation, quickly gathering the necessary details on the scope of the breach.

The results are now in, some personal information, including names, contact details, credit card data, and driver’s license numbers, were exposed. For a reportedly small subset of individuals, even more sensitive information like Social Security numbers and passport information was compromised. While the company has found no evidence of fraud using the stolen data, they are urging those impacted to take caution and remain vigilant.

In response, Hertz has stated that they are working with Cleo to patch the security gaps and prevent further unauthorized access. As an added precaution, Hertz has stated they rolling out two years of identity protection services through Kroll, including dark web monitoring, to provide impacted individuals peace of mind. They’ve also reported the breach to law enforcement and are following the necessary regulatory steps.

This incident raises critical questions for businesses everywhere, such as how secure are the vendors you rely on exactly? It’s not just about protecting your own organization’s data but understanding and securing the entire supply chain. While no data breach is ever ideal, it’s clear that this one was caught relatively early, and clear and decisive steps are being taken.

For now, Hertz is encouraging affected individuals to stay on top of their financial activity, checking credit reports and monitoring accounts for any signs of misuse. As a best practice, they’re also recommending putting a fraud alert or credit freeze in place, just to be safe.

This breach doesn’t just affect Hertz, it's a reminder of the potential downfalls for anyone relying on third-party vendors to handle sensitive data. The integrity of your vendor relationships is just as crucial as your internal cybersecurity. It’s time to take a closer look at your own third-party risk management and make sure that your supply chain doesn’t become the weak link in your security.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.