Hertz Data Breach Exposes Customer’s Sensitive Information Featured
Lawsuit alleges Hertz’s failure to secure sensitive customer information enabled a data breach that compromised the identities of individuals who rented cars from Hertz, Dollar, and Thrifty.
A lawsuit was recently filed against The Hertz Corporation and related rental brands Dollar and Thrifty after the company announced a major data breach impacting customers who rented vehicles or transacted with the company before December 2024. The lawsuit alleges that Hertz failed to implement reasonable cybersecurity measures and allowed hackers to steal sensitive personal information.
What Happened?
According to Hertz’s public statements, on February 10, 2025, the company confirmed that an unauthorized third party accessed customer data by exploiting zero-day vulnerabilities in software provided by Cleo Communications, a third-party file-sharing vendor. Cleo’s platforms—Cleo Harmony, VLTrader, and LexiCom—are used by major corporations to transfer large volumes of sensitive data securely.
Between October and December 2024, the CL0P ransomware gang exploited those vulnerabilities to exfiltrate customer information. Hertz stated it completed its internal investigation on April 2, 2025, and has begun notifying affected individuals. CL0P has publicly claimed responsibility and posted information about the breach on its leak site.
The incident impacts individuals who rented vehicles or did business with Hertz, Dollar, or Thrifty on or before December 2024.
What Information Was Stolen During the Breach?
According to breach notices and published reports, the information that may have been exposed includes:
- Full names
- Physical and email addresses
- Phone numbers
- Dates of birth
- Driver’s license numbers
- Credit or debit card information
- Social Security numbers (in certain cases)
- Passport numbers
- Medicare/Medicaid IDs
- Workers’ compensation records
- Injury-related accident or insurance data
Although Hertz is not a healthcare provider, some information came from accident claims, insurance forms, and customer service interactions, potentially exposing protected health information (PHI).
What is Hertz Doing to Protect My Identity?
Hertz has notified federal regulators and is sending data breach letters by mail to affected customers. The company has stated it is working with cybersecurity experts and is offering two years of Kroll identity monitoring and dark web monitoring services to impacted customers for free.
What Can Hackers Do With My Information?
Stolen PII and PHI can be used to commit identity theft, open unauthorized financial accounts, file fraudulent insurance claims, or make illicit purchases. Cybercriminals may sell this data on the dark web, creating a long-term risk for those affected.
Anyone impacted must now closely monitor their financial and medical records to guard against fraud and identity theft.
If you receive a Notice of Data Breach letter from Hertz, it is essential that you understand what’s at risk and what steps you can take to protect yourself. A data breach attorney can help you understand your legal rights and how to pursue possible compensation.
Protect Your Identity. Join the Hertz Data Breach Class Action.
The lawsuit alleges that Hertz violated common law duties and federal regulations, including the Federal Trade Commission Act, by failing to:
- Implement reasonable data security measures
- Encrypt sensitive personal information
- Comply with data protection standards
- Provide timely and adequate notice of the breach
If you received a notification letter from Hertz, you may be at permanent risk of identity theft and the severe financial and legal consequences that can result.
You may be eligible to participate in a class action lawsuit to recover compensation for:
- Loss of privacy
- Time spent mitigating the breach
- Out-of-pocket expenses
- Future identity protection costs
The lawsuit aims to represent any U.S. resident whose information was compromised in the breach disclosed by Hertz on February 10, 2025.