The car rental service Hertz has disclosed that the personal information of a yet-to-be-determined number of customers has been compromised, including names, contact details, dates of birth, credit card numbers, and driver’s license information.
Although the company has not specified the extent of the data breach, it seems to be quite significant, impacting customers in the US, Canada, the UK, the EU, and Australia.
Hertz stated that the breach occurred between October and November of the previous year through one of its IT partners. The company became aware of the incident in February, but the thorough data analysis was not completed until this month.
On February 10, 2025, we confirmed that Hertz data had been accessed by an unauthorized third party, who reportedly exploited zero-day vulnerabilities within Cleo’s platform during October and December 2024. Hertz promptly initiated an analysis to ascertain the scope of the breach and identify the individuals whose personal information may have been affected.
We finished this data analysis on April 2, 2025, concluding that the personal information involved may encompass: names, contact details, dates of birth, credit card information, driver’s license information, and data associated with workers’ compensation claims.
A very small number of individuals may have had their Social Security numbers or other government IDs, passport details, Medicare or Medicaid IDs (related to workers’ compensation claims), or injury-related data from vehicle accident claims potentially compromised by the breach.
Hertz has notified law enforcement agencies and is currently reporting the incident to the appropriate regulatory bodies.
The company indicates that while it has not detected any fraudulent activity as a result of the breach, customers should remain “vigilant” for signs of misuse of their personal information. To those affected, it is offering two years of complimentary identity theft monitoring services.
Hertz has engaged the services of Kroll to provide two years of identity monitoring or dark web monitoring services at no charge to potentially affected individuals. Residents of the United States who may be impacted can sign up for identity monitoring services here.
DMN’s Perspective
Considering the legal obligation to disclose data breaches within three days in the EU and four days in the US, it remains puzzling why the company is revealing this information only now and is still in the process of informing regulators.
If you are a Hertz customer and do not plan to apply for credit soon, you might consider taking the precautionary step of freezing your credit. This measure should help prevent anyone from using your identity to apply for loans or credit cards, as such applications would likely be denied.
Highlighted Accessories
Information sourced from The Verge. Photo by Avery Evans on Unsplash.
