Where it Hertz: Customer data driven off in Cleo attacks – Source: go.theregister.com

Car hire giant Hertz has confirmed that customer information was stolen during the zero-day data raids on Cleo file transfer products last year.

A breach notification was issued on Monday on behalf of Hertz, Dollar, and Thrifty brands, suggesting customers of all three Hertz Corporation-owned car hire businesses were affected.

Hertz didn’t detail the number of customers exposed but said names, contact information, dates of birth, credit cards, driver’s license information, and details related to workers’ compensation claims were involved.

A smaller subset of customers may also have had more sensitive data stolen, including Social Security or other government identification numbers, passport information, Medicare or Medicaid ID, or injury-related information associated with vehicle accident claims.

For those wondering why a car hire company would have Medicare data, it’s for cases involving workers’ compensation claims.

The files were stolen from a Cleo file transfer product Hertz uses “for limited purposes,” though it didn’t specify which.

At the time of the mass-exploitation event last year, Cleo patched its Harmony, VLTrader, and LexiCom products against CVE-2024-50623, and then CVE-2024-55956, which bypassed the initial patch.

Cybercrime crew Cl0p claimed responsibility for the Cleo attacks, which according to its leak site at various stages affected around 70 organizations.

• Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility
• Fully patched Cleo products under renewed ‘zero-day-ish’ mass attack
• Akira ransomware is encrypting victims again following pure extortion fling
• Batten down the hatches, it’s time to patch some more MOVEit bugs

The remainder of Hertz’s notification letter [PDF] reads like countless others. 

It says: “Hertz takes the privacy and security of personal information seriously. To that end, Hertz has confirmed that Cleo took steps to investigate the event and address the identified vulnerabilities. Hertz also reported this event to law enforcement and is in the process of reporting the event to relevant regulators.”

It also said it has so far found no evidence that any of the stolen data had been misused but urged customers to be vigilant for any fraudulent activity on their accounts. The usual stuff.

To help with that, Hertz also said it paid Kroll to offer affected individuals two years of identity monitoring or dark web monitoring services “out of an abundance of caution.”

Of the approximately 70 organizations hit by the Cleo attacks, according to Cl0p’s disclosures, relatively few have publicly acknowledged the matter. Some said they were investigating Cl0p-related breaches, while German manufacturer Covestro is the only other to confirm a successful attack. ®