The car-rental company Hertz is warning its customers that a data breach exposed personal information including driver’s licenses, credit-card data, contact information and in some cases social security or passport numbers. 

The company said that hackers breached Cleo Communications, a company that it works with for file transfers. 

The company said in a «Notice of Data Incident» statement (PDF) on its website: «We completed this data analysis on April 2, 2025, and concluded that the personal information involved in this event may include the following: name, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims. A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event.»

In an additional statement to CNET, a spokesperson for the company said Hertz takes privacy and security seriously. 

«Importantly, to date, our forensic investigation has found no evidence that Hertz’s own network was affected by this event,» the spokesperson said. «However, among many other companies affected by this event, we have confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024.»

WK Kellogg (yes, the cereal company) was apparently affected as well by the same window of data vulnerability that Hertz says took place between October and December 2024. Hertz says it became aware of the breach on Feb. 10.

Hertz is offering its customers two years of identity-theft protection with Kroll and included a phone number to contact for information on the breach, 866-408-8964.

Another in a long list of breaches

Consumers have over the last few years had to deal with the fallout of multiple large-scale data breaches that have affected customers of companies including AT&T, Ticketmaster and others.

Franklin Orellana, a cybersecurity expert and program chair of data science at Post University, said that the Hertz breach may be different in the type of information that was collected.

«While the size of the Hertz breach may not be as large as some of the more recent ones, the nature of what was exposed makes it particularly concerning,» Orellana said. «That kind of sensitive data can be more far-reaching in its implications for consumers, especially in cases of identity theft or license-cloning fraud.» 

Incidents like this, he said, are part of a rise in data breaches that affect third-party vendors of companies. Orellana pointed to a National Credit Union Administration report from a few years ago showing that 73 percent of data breaches involved a third party that was working with a credit union.

Sharing data with third parties can increase the possibilities of attack. 

«These breaches are generally due to a lack of control or visibility in the security stance of these partners, and supply chain risk is, therefore, one of the most significant concerns in cybersecurity today,» he said.

As to what consumers can do about data vulnerabilities they aren’t directly responsible for, there aren’t many options for protection, he said. 

«Unfortunately, in cases like these, consumers are largely powerless. You can do everything right, strong passwords, two-factor authentification, and up-to-date software, and still be vulnerable if a third party doesn’t store your data safely.»

Orellana added, «The burden truly is on businesses to vet vendors carefully and to have strong data protection policies across the entire ecosystem.»