Car rental giant Hertz Corporation has confirmed that customer data from its Hertz, Thrifty, and Dollar brands may have been stolen in a cyberattack involving one of its vendors, file transfer firm Cleo.
The company said that data was accessed by an “unauthorised third party” who exploited “zero-day vulnerabilities” in the platform between October and December last year.
Since then, Hertz has identified individuals whose personal information may have been impacted. The data potentially includes names, contact information, dates of birth, credit card details, driver’s licence information, and information related to workers’ compensation claims.
A smaller number of individuals may also have had their Social Security or other government identification numbers, passport details, Medicare or Medicaid ID numbers, or other sensitive information exposed.
While Hertz stated it is not aware of any misuse of personal data, it urged potentially affected individuals to remain “vigilant of the possibility of fraud or errors by reviewing account statements and monitoring free credit reports for any suspicious activity.”
The company has secured the services of financial and risk advisory firm Kroll to provide two years of identity monitoring or dark web monitoring for those affected.
“Data is a form of currency for cybercriminals, so it is essential that all organisations harbouring sensitive information manage their software risk by taking measures to improve their cybersecurity posture to prevent a compromise like this from happening again,” said Thomas Richard, infrastructure security practice director at cybersecurity firm Black Duck.
“It is data breaches like these that underscore the need for companies to not only review and reinforce their own systems but also those of any third-party vendors they use,” added Chris Hauk, consumer privacy advocate at Pixel Privacy.
“Anyone that has rented a car or worked for Hertz, Dollar, or Thrifty needs to keep an eye out for phishing attempts, unauthorised account activity, and any accounts being opened in their name,” Hauk said.
“Affected parties should definitely take advantage of the free identity monitoring services being offered by Hertz.”
The attack on Cleo saw other brands such as WK Kellogg, Western Alliance Bank, and Sam’s Club also affected.
Cyber gang Clop has claimed responsibility for the attacks, stating that it stole data from 66 companies.