Car rental company Hertz says that the personal data of an unspecified number of customers was stolen, and that this includes name, contact information, date of birth, credit card information, and driver’s license information. While the company has not revealed the scale of the security breach, it appears to be a very substantial one, affecting customers in the US, Canada, UK, EU, and Australia … It says that the breach occurred in October and November of last year via one of its IT partners, and it became aware of it in February, but only completed its data analysis this month. On February 10, 2025, we confirmed that Hertz data was acquired by an unauthorized third party that we understand exploited zero-day vulnerabilities within Cleo’s platform in October 2024 and December 2024. Hertz immediately began analyzing the data to determine the scope of the event and to identify individuals whose personal information may have been impacted. We completed this data analysis on April 2, 2025, and concluded that the personal information involved in this event may include the following: name, contact information, date of birth, credit card information, driver’s license information and information related to workers’ compensation claims. A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event. Hertz says it has informed law enforcement and “is in the process of reporting the event to relevant regulators.” The company says that while it is not yet aware of any resulting fraud, customers should be “vigilant” for misuse of their information. It’s offering two years of free identity theft monitoring to all those affected. Hertz has secured the services of Kroll to provide two years of identity monitoring or dark web monitoring services to potentially impacted individuals at no cost. Potentially impacted residents of the United States may sign up for identity monitoring services here. 9to5Mac’s Take Given a legal requirement to disclose data breaches within three days in the EU and within four days in the US, it’s unclear why the company is only now revealing this, and is somehow still in the process of informing regulators. If you’re a Hertz customer and have no plans to apply for credit in the near future, you may wish to take the precaution of freezing your credit. This should prevent anyone stealing your identity to apply for loans or payment cards in your name, as all applications should be declined. Highlighted accessories Via The Verge. Photo by Avery Evans on Unsplash. Add 9to5Mac to your Google News feed.  FTC: We use income earning auto affiliate links. More.You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel