Hertz Hit by Data Breach Supply Chain Attack Exposes Customer Data Via Cleo Communications.
Rental car giant Hertz has disclosed a data breach impacting customers after a successful cyberattack on Cleo Communications, a software company they use for data transfer. The breach, which occurred through Cleo’s MOVEit Transfer platform, may have exposed sensitive customer information, raising concerns about data security in the increasingly interconnected supply chain.
While the full extent of the breach is still under investigation, Hertz confirmed that unauthorized access to Cleo’s platform may have compromised personally identifiable information (PII) belonging to some of its customers. This could include names, addresses, email addresses, driver’s license numbers, and potentially partial payment card information.
Supply Chain Woes: A Familiar Threat
This incident highlights the growing vulnerability of organizations to supply chain attacks. Businesses are increasingly reliant on third-party vendors for various services, including data transfer, storage, and software solutions. This interconnectedness creates a wider attack surface, as a compromise of a single vendor can grant attackers access to the data of numerous downstream clients.
In Hertz’s case, the attack on Cleo Communications acted as a backdoor, circumventing their own security measures and potentially exposing sensitive customer data. This underscores the importance of robust vendor risk management programs that extend beyond basic questionnaires and include ongoing security assessments and monitoring.
What Happened?
The breach traces back to a vulnerability within Cleo Communications’ MOVEit Transfer platform, a widely used file transfer system. The vulnerability, now patched, allowed attackers to gain unauthorized access to sensitive data stored on the platform. Cleo Communications promptly notified its customers, including Hertz, about the breach, prompting investigations and notification procedures.
Hertz’s Response and Customer Impact
Hertz is actively working to assess the impact of the data breach and notify affected customers. The company is urging individuals to remain vigilant for signs of identity theft, such as suspicious emails, phone calls, and unusual activity on their financial accounts. They are also likely offering resources such as credit monitoring services to those potentially affected.
Lessons Learned and Moving Forward
The Hertz data breach serves as a crucial reminder of the importance of:
- Robust Vendor Risk Management: Organizations must conduct thorough security assessments of third-party vendors, especially those handling sensitive data. This should include penetration testing, security audits, and ongoing monitoring.
- Secure Data Transfer Protocols: Implementing secure file transfer protocols and encryption methods can help protect data during transit and at rest.
- Incident Response Planning: Having a well-defined incident response plan is crucial for quickly identifying, containing, and mitigating the impact of a data breach.
- Software Patching and Updates: Staying up-to-date with software patches and security updates is essential for addressing known vulnerabilities and preventing exploitation.
- Employee Training: Educating employees about phishing scams and other social engineering tactics can help prevent unauthorized access to sensitive data.
The breach at Hertz, facilitated through Cleo Communications, underscores the inherent risks in today’s complex digital landscape. As businesses become increasingly reliant on third-party providers, securing the entire supply chain is paramount to protecting customer data and maintaining trust. This incident serves as a stark warning that vigilance, proactive security measures, and a robust incident response plan are crucial for navigating the ever-evolving threat landscape.
