Hertz confirms exposure in file transfer platform incident

Car rental giant Hertz says Australians’ data “may” have been exposed in a breach of a file transfer platform used by the company.

Image credit: Hertz Australia/Facebook

The rental firm, which owns brands including Hertz and Thrifty, said in a breach notice [pdf] that Hertz data “was acquired by an unauthorised third party that … exploited zero-day vulnerabilities” in the file transfer software made by Cleo Communications.

Hertz was named as a victim of the Clop ransomware gang back in January but reportedly said at the time it had “no evidence” that it had been impacted.

The company had since completed “data analysis” a fortnight ago “and concluded that the personal information involved in this event may include the following regarding Australian individuals: name, contact information, date of birth, driver’s license information and payment card information.”

“A very small number of such individuals may have had their passport information impacted by the event,” Hertz said.

Hertz said it has reported the incident to law enforcement and is “in the process” of notifying various regulators.

It has engaged Kroll to provide identity monitoring services to customers that are deemed to have been impacted.

Hertz added that it is “not aware of any misuse of personal information for fraudulent purposes in connection with” the incident.