U.S. rental car company Hertz Global Holdings said on Monday that some customer data may have been exposed following a cybersecurity incident involving one of its third-party vendors.
The breach, which occurred through Cleo Communications—a provider of file transfer services—stemmed from hackers exploiting zero-day vulnerabilities in the vendor’s platform during October and December, Hertz said in a disclosure on its website.
See also: Hertz Reports $2.9 Billion Loss, Adjusts EV Strategy Amid Lower Demand
The compromised data could include customer contact details, credit card numbers, and driver’s license information. A smaller subset of individuals may have had more sensitive data exposed, including Social Security or passport numbers, the company added.
“Our forensic investigation has found no evidence that Hertz’s own network was affected by this event,” the company said in a statement to Reuters. It also noted that it is not aware of any cases where the exposed information has been misused for fraudulent purposes.
See also: Hertz Faces Challenges with EV Fleet Depreciation, Plans to Sell 30,000 EVs by End of 2024
The incident underscores the growing risk posed by third-party vendors in corporate cybersecurity, as attackers increasingly target external service providers as a pathway to sensitive information. Hertz did not specify how many customers were affected by the breach.