Most companies use different vendors to run different parts of their business, such as customer management, finances, payroll and social media. To do this, they share access to customer data with these platforms. The issue is that not all vendors take cybersecurity seriously, and hackers are well aware of that. 

More and more, attackers are going after these weaker links in the digital supply chain. These kinds of breaches often happen quietly, exposing large amounts of customer information without touching a company’s main systems. It’s becoming a serious concern for both businesses and their customers. 

One of the latest cases involves Hertz, the car rental giant, which recently confirmed that customer data was exposed because of a cyberattack on one of its software vendors.

Join the FREE “CyberGuy Report”: Get my expert tech tips, critical security alerts and exclusive deals, plus instant access to my free “Ultimate Scam Survival Guide” when you sign up!

What happened at Hertz?

Hertz, the global car rental company that also operates Dollar and Thrifty, has disclosed a data breach affecting thousands of its customers. The incident stems from a cyberattack on one of its third-party vendors, software provider Cleo, between October and December 2024. The breach did not compromise Hertz’s internal systems directly but involved data that had been shared with the vendor as part of its operational workflow.

The compromised data varies by region but includes sensitive personal information such as names, dates of birth, contact details, driver’s license numbers and, in some cases, Social Security numbers and other government-issued IDs. Certain financial information, including payment card details and workers’ compensation claims, was also among the stolen records.

In the U.S., disclosures were filed with regulatory bodies in California, Texas and Maine. Specifically, 3,457 individuals were affected in Maine and 96,665 in Texas. The total global impact, however, is believed to be far greater. Customers in Australia, Canada, the EU, New Zealand and the U.K. were also notified via breach notices on Hertz’s regional websites.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

The breach is believed to be the work of the Clop ransomware gang, a well-known Russia-linked hacking group. Clop exploited a zero-day vulnerability in Cleo’s enterprise file transfer software, technology used by many large organizations to securely transmit sensitive business data. In 2024, the gang launched a mass-hacking campaign targeting Cleo users, ultimately stealing data from more than 60 companies, including Hertz.

Interestingly, while Hertz was named on Clop’s dark web leak site in 2024, the company initially stated it had “no evidence” its systems or data had been compromised.

When contacted by CyberGuy, a Hertz spokesperson said, “At Hertz, we take the privacy and security of personal information seriously. This vendor event involves Cleo, a file transfer platform used by Hertz for limited purposes. Importantly, to date, our forensic investigation has found no evidence that Hertz’s own network was affected by this event. However, among many other companies affected by this event, we have confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.”

200 MILLION SOCIAL MEDIA RECORDS LEAKED IN MAJOR X DATA BREACH

What does this mean for customers?

While Hertz’s internal systems were not breached, the exposure of personal data, including driver’s license numbers, contact details and government-issued IDs, poses serious risks. Affected individuals may be vulnerable to identity theft, fraudulent account openings and targeted phishing attempts. If Social Security numbers were involved, the potential for harm increases significantly. Anyone who rented from Hertz, Dollar or Thrifty between October and December 2024 should be on high alert.

MALWARE EXPOSES 3.9 BILLION PASSWORDS IN HUGE CYBERSECURITY THREAT

7 ways to protect yourself after the Hertz data breach

If you think you were affected or just want to be cautious, here are some steps you can take right now to stay safe from the Hertz data breach.

1. Watch out for phishing scams and use strong antivirus software: With access to your email, phone number or identification documents, attackers can craft convincing phishing emails pretending to be from healthcare providers or banks. These emails might include malicious links designed to install malware or steal login information. To defend yourself, use a strong antivirus program. Get my picks of the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2. Scrub your data from the internet using a personal data removal service: The more exposed your personal information is online, the easier it is for scammers to use it against you. Following the Hertz breach, consider removing your information from public databases and people-search sites. Check out my top picks for data removal services here.

3. Safeguard against identity theft and use identity theft protection: Hackers now have access to high-value information from the Hertz breach, including Social Security numbers, driver’s license and bank information. This makes you a prime target for identity theft. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. Signing up for identity theft protection gives you 24/7 monitoring, alerts for unusual activity and support if your identity is stolen. See my tips and best picks on how to protect yourself from identity theft.

4. Set up fraud alerts: Requesting fraud alerts notifies creditors that they need extra verification before issuing credit in your name. You can request fraud alerts through any one of the three major credit bureaus; they’ll notify the others. This adds another layer of protection without completely freezing access to credit. 

5. Monitor your credit reports: Check your credit reports regularly through AnnualCreditReport.com, where you can access free reports from each bureau once per year or more frequently if you’re concerned about fraud. Spotting unauthorized accounts early can prevent larger financial damage.

6. Change passwords and use a password manager: Update passwords on any accounts tied to compromised data. Use unique passwords that are hard to guess and let a password manager do the heavy lifting by generating secure ones for you. Reused passwords are an easy target after breaches. Consider password managers for convenience and security. Get more details about my best expert-reviewed password managers of 2025 here.

7. Be wary of social engineering attacks: Hackers may use stolen details like names or birth dates from breaches in phone scams or fake customer service calls designed to trick you into revealing more sensitive info. Never share personal details over unsolicited calls or emails. Social engineering attacks rely on trust, and vigilance is key. 

HACKERS USING MALWARE TO STEAL DATA FROM USB FLASH DRIVES

Kurt’s key takeaway

Cyber risk doesn’t always come from a company’s own network. It often originates in unseen corners of the digital supply chain. Even as companies double down on internal cybersecurity, they must be equally rigorous in how they vet and monitor third-party vendors. For consumers, it’s no longer enough to trust the big brand on the label. The data trail is wider, the attack surface larger and the consequences far more opaque. 

If companies can’t protect our data, should they be allowed to collect so much of it? Let us know by writing us at Cyberguy.com/Contact.

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com. All rights reserved.