In early 2025, Hertz confirmed a major data breach affecting customers of Hertz, Dollar, and Thrifty rental car brands. The breach exposed highly sensitive personal information including Social Security numbers, passport details, and credit card data. If you've rented a car from any of these brands, here's everything you need to know and exactly what steps to take.
What Happened
The Hertz data breach originated from a cyberattack on Cleo, a third-party vendor that provides data integration and file transfer services to Hertz and many other companies. The CL0P ransomware group exploited previously unknown vulnerabilities in Cleo's software to gain unauthorized access to data flowing through the platform.
Between October and December 2024, attackers accessed data belonging to Hertz customers through Cleo's systems. Hertz became aware of the intrusion after Cleo disclosed the vulnerability, and a subsequent internal investigation confirmed that unauthorized parties had accessed customer information during the three-month window.
This Was Part of a Larger Attack
The CL0P ransomware group's exploitation of Cleo's vulnerabilities wasn't limited to Hertz. The same attack campaign compromised data from multiple companies that used Cleo's file transfer services. This is similar to CL0P's earlier attacks on MOVEit and GoAnywhere, which collectively affected hundreds of organizations and tens of millions of individuals.
What Information Was Exposed
The breach potentially compromised the following personal information:
- Names and contact information
- Dates of birth
- Credit card information
- Driver's license details
- Workers' compensation claim information
For a limited number of individuals, the exposed data may also include:
- Social Security numbers or government-issued ID numbers
- Passport information
- Medicare or Medicaid IDs (associated with workers' compensation claims)
- Injury-related vehicle accident information
The breach affected individuals associated with the Hertz, Dollar, and Thrifty brands.
Immediate Steps to Take
1. Check If You Were Affected
Hertz began notifying affected customers in early 2025. If you rented a car from Hertz, Dollar, or Thrifty between 2020 and 2024, you may be affected even if you haven't received a notification letter. Check your email (including spam folders) for communications from Hertz about the breach.
2. Freeze Your Credit at All Three Bureaus
Given that Social Security numbers and government IDs were potentially exposed, a credit freeze is your most important protective step:
- Equifax: equifax.com/personal/credit-report-services/credit-freeze
- Experian: experian.com/freeze
- TransUnion: transunion.com/credit-freeze
A credit freeze prevents anyone from opening new credit accounts in your name. It's free and doesn't affect your credit score.
3. Place a Fraud Alert
Contact any one of the three credit bureaus to place a free fraud alert on your file. The bureau you contact is required to notify the other two. A fraud alert tells creditors to verify your identity before opening new accounts.
4. Monitor Your Credit Card and Bank Statements
Since credit card information was exposed, carefully review your statements for unauthorized charges. Report any suspicious transactions to your card issuer immediately. Consider requesting a new card number from your bank as a precaution.
5. Change Passwords for Your Hertz Account
If you have an account on hertz.com or the Hertz app, change your password immediately. If you used the same password on other sites, change those too. Use a unique, strong password for every account.
Enroll in Identity Protection Services
Hertz offered identity protection services to individuals at higher risk from the breach. Check your notification letter for enrollment details and deadlines. Even if the free monitoring period is limited, enroll immediately to take advantage of it.
Ongoing Protection Steps
Monitor for Identity Theft
With SSNs and passport information potentially in criminal hands, the risk of identity theft is elevated for months or even years after the breach. Watch for these warning signs:
- Unfamiliar accounts or inquiries on your credit report
- Bills or collection notices for accounts you didn't open
- IRS notices about tax returns you didn't file
- Medical bills for services you didn't receive
- Unexpected denial of credit applications
Request Free Credit Reports
Visit annualcreditreport.com to request your free credit reports from all three bureaus. Review them carefully for any accounts or inquiries you don't recognize.
Consider an IRS Identity Protection PIN
If your SSN was exposed, apply for an Identity Protection PIN from the IRS at irs.gov/ippin. This prevents someone from filing a fraudulent tax return using your Social Security number.
Report Passport Compromise
If your passport information was exposed, contact the U.S. State Department at travel.state.gov to report the compromise and inquire about expedited passport renewal.
Watch for Scams Related to This Breach
After every major data breach, scammers use the stolen information to launch targeted phishing campaigns. Be alert for:
- Fake Hertz emails asking you to "verify your account" or "claim compensation" — always go directly to hertz.com rather than clicking links
- Phone calls from people claiming to be Hertz representatives asking for additional personal information
- Phishing texts about rental car bookings, refunds, or account issues
- Fake identity protection services — only use the service specified in your official Hertz notification letter
Remove Your Data From Broker Sites
Breached personal information often ends up on data broker sites, compounding your exposure. When criminals combine breach data with the information already available on people-search sites, they can build comprehensive identity theft profiles.
PrivacyOn helps by automatically removing your personal information from more than 100 data broker sites and monitoring the dark web for your compromised data. This reduces the total amount of personal information available to criminals who may have obtained your data from the Hertz breach.
- Automated removal from 100+ data brokers
- Dark web monitoring for your SSN, email, and other compromised data
- 24/7 monitoring with automatic re-submission of removal requests
- Family plans covering up to 5 people
- Plans starting at $8.33/month
Know Your Legal Rights
Multiple class action lawsuits have been filed against Hertz in connection with the breach. If you were affected, you may be entitled to compensation. Check classaction.org for updates on pending litigation and your eligibility to participate.
Under state data breach notification laws, Hertz is required to notify affected individuals and may be liable for damages resulting from the exposure of personal information.
Take Action Now
The Hertz breach exposed some of the most sensitive personal information possible — SSNs, passport numbers, and financial data. Don't wait for signs of identity theft to act. Freeze your credit, monitor your accounts, and take steps to reduce your overall data exposure. The combination of breach response and proactive data removal through PrivacyOn gives you the best protection against the long-term consequences of this breach.