Every organization relies on a web of third-party tools to keep operations smooth. For Hertz, that meant using Cleo’s file-transfer platform to move critical customer data. But in February 2025, a hidden flaw in that system opened the door for Cl0p ransomware operators to slip in, steal customer details, and throw Hertz into a full-blown crisis. Let’s walk through the story, piece by piece, and see what every business can learn about avoiding their own $1 billion data nightmare.

The February 2025 Hertz Data Breach

Picture this: you’re a customer booking a car online. You hand over your driver’s license number, credit-card info, and contact details. You trust the rental giant to keep it safe. Yet behind the scenes, Cl0p hackers were already inside Hertz’s network—having slipped in weeks earlier through a zero-day hole in Cleo’s software.

In late February, attackers quietly stole Active Directory credentials, giving them the keys to roam Hertz’s systems undetected. By April, they unleashed ransomware, encrypting files and grabbing sensitive customer records. When Hertz finally sounded the alarm, more than 1 million customer records—driver’s licenses, Social Security numbers, and payment details—were exposed. Stock tumbled, regulators circled, and customers braced for identity headaches.

That $1 billion price tag isn’t just a headline. It’s the real cost of missed warnings, delayed responses, and unseen gaps in third-party risk. If your business uses vendor tools—and let’s face it, nearly every business does—you need a plan to spot these threats early and stop them cold.

The Breach Timeline: From Zero-Day to Disclosure

• February 4: Cl0p actors exploit a zero-day flaw in Cleo’s file-transfer API.
  
  
• February 7–14: Backdoors are planted, credentials harvested, and lateral movement begins.
  
  
• April 24: Ransomware is deployed, systems lock up, and data is exfiltrated.
  
  
• April 25: Hertz IT teams notice service slowdowns but don’t yet grasp the full scope.
  
  
• April 28: Public disclosure—Hertz confirms the breach, begins notifying affected customers, and offers credit monitoring.
  
  

They waited four days between encryption and full public notice. In that gap, attackers had free rein to grab every file they wanted. When you’re talking about millions of customers and daily revenues of $50 million, every hour counts.

Attack Vector Deep Dive: Cl0p’s Zero-Day Exploit in Cleo

The root cause lay not in a phishing email but in a flaw baked into Cleo’s file-transfer software. Cybercriminals reverse-engineered the API, finding a way to bypass authentication checks entirely. With just a crafted request, they pulled down the NTDS.dit file—the Active Directory database of usernames and passwords. Armed with those credentials, they escalated privileges, disabled alerts, and mapped out Hertz’s network.

This wasn’t a password problem or a user mistake. It was a zero-day weapon against a trusted vendor tool. The big takeaway? Every third-party platform needs the same scrutiny you give your own code. If you’re not scanning vendor updates daily, you’re leaving secret doors wide open.

Exposed Data & Customer Impact

Once inside, the hackers walked away with every customer detail they could find: driver’s licenses, Social Security numbers, payment card data, even booking histories. For customers, that means identity-theft risks, credit-card fraud, and a marathon of account resets.For Hertz, the fallout was devastating.

They faced regulatory probes from the SEC and state attorneys general, stringent breach-notification requirements, and potential fines. Their brand took a beating online, with social media full of angry posts from customers worried about stolen personal data. Operationally, gift-card systems and returns processes sputtered for weeks, forcing staff to fall back on paper forms.

This breach shows how fast trust can evaporate—and how costly it is to rebuild once it’s gone.

Hertz’s Response & Ongoing Challenges

• Isolation of affected servers and suspension of Cleo integrations
  
  
• Full forensic investigation to remove backdoors and cleanse malware
  
  
• Deployment of emergency recovery teams to restore critical services
  
  
• Customer notifications, credit monitoring offers, and legal counsel engagement
  
  
• Continued issues with gift-card and returns processing months later
  
  

Despite these efforts, the road to normalcy was long. Every delay meant frustrated customers, lost revenue, and a ticking clock on regulatory deadlines. A robust incident playbook could have cut response times dramatically—shutting down intrusions in hours, not days.

Lessons Learned: Third-Party Risk Management Failures

Hertz’s ordeal underlines four critical failures in third-party oversight:

First, they lacked continuous vulnerability scanning of Cleo’s platform.
Second, they had no “zero-day watch” process to catch vendor patches or alerts.
Third, their onboarding checks for Cleo didn’t include a full security audit.
Fourth, their contracts lacked clear clauses for rapid vulnerability disclosure.

A healthy third-party risk program treats every vendor like an extension of your network—subject to the same checks, tests, and contractual requirements as your own systems.

Comparing Ransomware Cases: Hertz vs. Colonial Pipeline

• Entry Point: Colonial’s attackers phished VPN credentials, Hertz’s exploited software flaws.
  
  
• Downtime: Colonial paused fuel flows for a week; Hertz saw weeks of partial service outages.
  
  
• Cost: Colonial paid $4.4 million in ransom; Hertz faces over $1 billion in combined losses and fines.
  
  

These contrasts highlight that while the actors may change, the playbook for defense—phishing training, patch management, segmentation, and quick containment—remains the same.

Future Risks & 2025 Trends: Ransomware’s Next Frontiers

We’re not out of the woods. As ransomware gangs get smarter, they’ll lean on AI to craft new zero-day exploits and hunt smaller vendors to reach larger prey. Regulators are responding with tighter rules—NIST’s 2025 guidelines demand faster breach reporting, and the SEC is ready to penalize delayed disclosures. Companies are shifting toward “breach-first” drills, simulating attacks so they can practice their playbooks under pressure.

If you haven’t updated your incident response and third-party risk processes this year, now’s the time to act.

Every minute counts when a zero-day exploit meets a trusted vendor. Don’t wait for the next breaking-news alert to realize you’re at risk. Connect with iRM today to harden your vendor controls, automate vulnerability watches, and build an incident response plan that stops ransomware before it starts.

👉 Contact iRM to schedule your free ransomware readiness audit and secure your business → [Contact Us at iRM]