Australian customers of car rental company Hertz, which also operates the Thrifty and Dollar brands, may have had their personal information stolen during a cyber attack on a third-party vendor that handles file transfers for Hertz. Hackers breached systems at Cleo Communications late last year.
“On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorised third-party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024,” an April 15, 2025, Hertz statement reads.
Cleo Communications is a US-based privately owned software company best known for its ecosystem integration platform.
“Hertz immediately began analysing the data to determine the scope of the event and to identify individuals whose personal information may have been impacted,” the statement added.
“We completed this data analysis on April 2, 2025, and concluded that the personal information involved in this event may include the following regarding Australian individuals: name, contact information, date of birth, driver’s license information and payment card information.”
Hertz customers from the United States, Canada, New Zealand, the United Kingdom, and the European Union have also had personal information stolen in the attack.
Hertz adds that a small number of customers may have had passport information stolen. The rental car company says it is not aware of any misuse of stolen personal information.
However, Russian-speaking ransomware gang Clop has previously leaked alleged data from Hertz and other companies on its extortion site. It has claimed responsibility for exploiting vulnerabilities in Cleo’s file transfer platforms.
“Hertz has confirmed that Cleo took steps to investigate the event and address the identified vulnerabilities,” noted Hertz’s statement. “Hertz also reported this event to law enforcement and is in the process of reporting the event to relevant regulators. Further, out of an abundance of caution, Hertz has secured the services of Kroll to provide two years of identity monitoring services to potentially impacted individuals at no cost.”
“We encourage potentially impacted individuals, as a best practice, to remain vigilant to the possibility of fraud or errors by reviewing account statements and monitoring credit reports for any unauthorised activity and reporting any such activity.”
