The Daily Hodl reports:
A car rental giant says sensitive customer data has been exposed in a cybersecurity incident involving one of its vendors.
In a notice posted on its website, Hertz says that its vendor, Cleo Communications US, witnessed a zero-day vulnerability exploit late last year that enabled thieves to siphon customer data.
Notifications on various state government websites show at least 100,000 people are affected.
Hertz says the data breach exposed customer information, including names, contact details, credit card records and driver’s license numbers. Hertz also says that a “very small number of individuals” had their Social Security numbers, passport records, Medicare or Medicaid IDs and entries related to vehicular accident claims exposed as well.
Read more at The Daily Hodl.
The Hertz Corporation includes Hertz, Dollar, and Thrifty car rental brands. The CLEO breach is the fourth breach of a file transfer program by Cl0p threat actors. Two zero-day vulnerabilities in Cleo’s file transfer platform, which are tracked as CVE-2024-50623 and CVE-2024-55956, were exploited by the gang in October and December 2024. Hertz was one of dozens of entities targeted.
Hertz’s own network was not compromised by the vendor breach. Cl0p does not encrypt their victims, but exfiltrates data and then attempts to extort their targets into paying ransom to have them delete the stolen data rather than leak it.
Cl0p was previously responsible for similar attacks on Accellion, GoAnywhere, and MOVEit file transfer software.
