Modern organizations are presented with an array of risks from all angles, including through partners, contractors, and other third parties. Interconnected and integrated technologies and supply chains open up many avenues for attackers to compromise an organization’s sensitive systems and data. Recently, car rental company Hertz discovered that sensitive data had been breached by a third party.
After discovering the incident on February 10th, 2025, the company immediately moved to analyze what data was impacted, and this analysis was completed on April 2nd. The office of the Maine Attorney General publicly disclosed the data compromise. The file-transfer software Cleo was identified as the vulnerability vector in the breach, highlighting the importance of securing against software supply chain risks.
The Supply Chain Strikes Again
The context surrounding this attack is a landscape where not just third-party risks, but specifically file-transfer software exploits are increasingly being leveraged by threat actors. The 2023 MOVEit and GoAnywhere incidents, along with this new breach via the Cleo vendor, are all high-profile examples of the trend of cybercriminals taking advantage of vulnerabilities in file-transfer services.
These platforms are high-value targets due to the vast volumes of highly sensitive data they often process and handle, especially when in use by large corporations like Hertz. Bad actors also find it convenient to compromise systems via third parties, as the interconnected software supply chain often leads to security gaps from which they can benefit. Common patterns in file-transfer software attacks include bad actors gaining privileged access, using the integration of legacy tools to their advantage, and exploiting weak patch management.
Cleo’s Role and the Vendor Response
In the notice advising affected individuals of the breach, Hertz confirmed that the attack occurred via an exploit of Cleo’s service, and communicated that Cleo was taking steps to address the incident and mitigate “identified vulnerabilities.” However, the file transfer service vendor has not publicly disclosed much specific information about the attack, including how threat actors carried out the compromise, what security vulnerability enabled the breach, and what actions are being taken in the wake of the attack.
The lack of full transparency into the details of the incident has caused some concern in the cybersecurity community. Software vendors must securely manage critical data flows without exposing them to attack, and the broader implications of this incident raise questions about their ability to do so, as well as their handling of security events when they do arise. The interconnectedness of modern systems and the supply chain necessitates cybersecurity communication, collaboration, and transparency to protect against the dangers of attacks like this.
Hertz’s Response and Risk Management
Hertz responded to the incident by filing a notice with the Maine Attorney General’s office on April 11th and sending letters of notice to individuals whose personal information was compromised in the breach. The breach was actually two different incidents in October and December of 2024, achieved via zero-day exploits. Compromised data included names, contact information, dates of birth, driver’s license information, credit card information, Social Security numbers, government ID numbers, passport information, and Medicare/Medicaid IDs connected to workers’ compensation cases.
Individuals whose personal data was exposed in this breach could be entitled to compensation in this case. Hertz is also offering affected customers two years of identity monitoring and dark web monitoring services from Kroll Monitoring free of charge. Still, some believe that Hertz failed to take adequate action to prevent the attack, mitigate the effects, and inform affected individuals in a timely manner. The company is at risk of regulatory action and pending class-action lawsuits, leading to large fines and settlements.
Expert Insight
Third-party and open-source software risks are a major source of concern in an increasingly interconnected digital landscape. Companies have vast IT and OT systems and supply chain networks, using software and hardware from a variety of vendors and developers, all of which could potentially introduce significant risks to organizations. “Data is a form of currency for cybercriminals, and therefore it is essential that all organizations harboring sensitive information manage their software risk by taking measures to improve their cybersecurity posture to prevent a compromise like this from happening again,” says Thomas Richards, Infrastructure Security Practice Director at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.
Achieving visibility and insight into the software supply chain and complex systems is necessary for any organization to protect against attacks like this. Software Composition Analysis (SCA) is an important step in ensuring that these networks are secure, detecting embedded open-source software, identifying whether it is fully updated, finding security vulnerabilities, and licensing requirements. It is also vital for organizations to engage in proactive risk assessments and locate known vulnerabilities in their dependencies.
Lessons Learned and Forward Strategy
The Hertz attack highlights the necessity for securing third-party software and building resilience into the software supply chain. Security governance cannot focus solely on internal security considerations, but must include a focus on vendor risk management to prevent breaches like the Hertz incident. Organizations are encouraged to implement continuous monitoring and ensure faster patch cycles moving forward, to decrease the chances of falling victim to an attack through a third party. Failing to do so may have significant regulatory and reputational consequences.
