The car rental service Hertz has disclosed that personal information from an undisclosed number of customers has been compromised. This data breach includes names, contact details, dates of birth, credit card data, and driver’s license information.
Although the company has not specified the extent of the breach, it appears to be quite significant, impacting customers located in the US, Canada, UK, EU, and Australia.
The breach reportedly occurred during October and November of the previous year through one of its IT partners. Hertz became aware of the situation in February but only finished its data assessment recently.
On February 10, 2025, we acknowledged that Hertz data had been accessed by an unauthorized third party who exploited zero-day vulnerabilities within Cleo’s platform between October 2024 and December 2024. Hertz promptly commenced data analysis to assess the situation and to identify individuals whose personal information might have been affected.
We completed this analysis on April 2, 2025, finding that the personal information involved in this incident could include names, contact details, dates of birth, credit card data, driver’s license information, and information linked to workers’ compensation claims.
A limited number of individuals may have also had their Social Security or other government IDs, passport information, Medicare or Medicaid IDs (related to workers’ compensation claims), or injury-related information from vehicle accident claims exposed during this event.
Hertz has reported the incident to law enforcement and is in the process of notifying the appropriate regulatory bodies.
While the company is not currently aware of any fraudulent activities arising from this breach, it advises customers to remain “vigilant” regarding potential misuse of their data. As a precaution, Hertz is offering two years of complimentary identity theft monitoring to those affected.
Hertz has enlisted Kroll to offer two years of identity monitoring or dark web monitoring services at no cost to potentially affected individuals. If you are a resident of the United States and may have been impacted, you can register for identity monitoring services here.
DMN’s Perspective
Considering the legal obligation to disclose data breaches within three days in the EU and four days in the US, the timing of this announcement raises questions about why the company is only now coming forward and continues to inform regulators.
If you are a Hertz customer and do not intend to apply for credit soon, it may be wise to freeze your credit. This action will help prevent identity theft for loan or credit card applications made in your name, as all such requests should be denied.
Notable Accessories
Via The Verge. Photo by Avery Evans on Unsplash.
