Heads up: If you’ve rented a car from Hertz, your data may have been exposed in a data breach. While Hertz itself was not attacked, affected customers had sensitive data leaked—including, in some cases, Social Security numbers.
What happened with Hertz?
This week, Hertz posted a “Notice of Data Incident” on its website, informing customers about a 2024 episode involving Cleo Communications. Cleo operates a file transfer platform that Hertz uses for “limited purposes.” Despite those limited purposes, Hertz confirmed that actors exploited zero-day security flaws in Cleo’s network and accessed Hertz customer data. It appears actors accessed this data in both October and December of last year.
Following an analysis of the affected data on April 2, Hertz now says the following user data was impacted in this breach: customer names, contact information, dates of birth, credit card information, driver’s license information, as well as workers’ compensation claims data. In some cases, actors accessed even more sensitive data, including government identification numbers (including Social Security numbers), passport information, Medicare and Medicaid IDs, and informations about injuries via vehicle accident claims. Hertz says only “a very small number of individuals” are impacted by this latter category of information, but it’s a serious breach nonetheless.
Hertz says it has reported the situation to law enforcement, and is reaching out to regulators as well. The company says Cleo launched an investigation, and patched the security flaws that lead to the breach in the first place—though that will likely not be of much comfort to affected customers.
According to TechCrunch, Hertz contacted several U.S. states, notably California and Maine, about the data incident. The company said that at least 3,400 customers in Maine were impacted by the breach, but stopped short of naming the total number of affected customers. It seems the data breach affects users around the world, too. In addition to the U.S., Hertz posted its announcement on its websites in Australia, Canada, the EU, New Zealand, and the UK.
What do you think so far?
What should I do if my Hertz data was breached?
Hertz maintains that this user data has not been used to commit fraud, but that doesn’t mean it won’t happen. Bad actors can use the information leaked in this breach to steal your identity, open bank accounts, and take out credit cards and loans in your name. As such, you should take steps to protect your identity.
The company is offering two years of Kroll identity monitoring and dark web monitoring services to impacted customers for free. Accept the offer: A service like Kroll will keep an eye out for any fraud associated with your data, and help protect you from the repercussions.
While Kroll will do a lot of the work for you, there’s more you can do here to keep yourself protected. For starters, you can obtain a free credit report from Equifax, Experian, and TransUnion once a year. Since each is independent, you can stagger your requests to effectively check your full credit once every four months. If you have been involved in this security incident (or any one like it) you can also put a freeze on your credit to ensure no one can access your report for any reason.
