Supply Chain Fallout: The Real Lesson Behind the Hertz Breach

What do you get when a trusted file transfer vendor becomes the weakest link? For Hertz, the answer was a major data breach that exposed sensitive customer information and damaged trust. It revealed how vulnerable even well-established enterprises can be when third-party systems are compromised.

In early 2024, Hertz learned that files containing personally identifiable information (PII), including names and driver’s license numbers, had been accessed without authorization. But the breach didn’t stem from Hertz’s own systems. Instead, it resulted from a supply chain vulnerability: attackers had exploited a zero-day flaw in Cleo, a third-party managed file transfer (MFT) provider Hertz relied on to move data securely. That single compromise rippled outward, impacting multiple organizations, with Hertz among the most high-profile victims.

The incident raises critical questions: What went wrong? Could it have been prevented? And what can other businesses learn from Hertz’s misfortune?

Anatomy of the Hertz Data Breach

The breach began with a chain reaction far outside Hertz’s security perimeter. The root cause? A zero-day vulnerability in the file transfer software operated by Cleo, a third-party vendor used by Hertz to exchange sensitive data. That vulnerability was weaponized by the Cl0p ransomware gang, a group known not for locking up systems, but for something potentially more insidious: quietly stealing data and using it as leverage for extortion.

This wasn’t the usual smash-and-encrypt operation typical of many ransomware attacks. Cl0p didn’t deploy malware inside Hertz’s environment. Instead, they slipped in through Cleo, extracted files, and disappeared, leaving Hertz’s internal systems untouched, but its data compromised. From Hertz’s perspective, the attack came not from a suspicious email or misconfigured server, but from the very pipeline it trusted to handle sensitive customer information.

The stolen data included customer names, driver’s license numbers, and other contact details. While financial records and Social Security numbers were not confirmed as part of the breach, the exposed information still carried significant risk. Driver’s license numbers, when combined with personal identifiers, are highly valuable to identity thieves and can be used to commit fraud or social engineering attacks.

The fallout was immediate. Hertz was forced to notify regulators, alert impacted individuals, and offer a year of free identity protection services. But the cost extended beyond financial remediation. The breach served as a public reminder of how dangerous and difficult supply chain vulnerabilities can be. Even when your systems are secure, your partners’ security can open the door to serious consequences. In this case, Cleo’s lapse made Hertz the victim.

What Went Wrong

At the heart of the Hertz breach lies a hard lesson about overreliance. Cleo wasn’t just another vendor; it was a critical component of Hertz’s data operations, responsible for moving sensitive files across systems. However, like many businesses, Hertz implicitly trusted this third-party partner. That trust came with a hidden cost: when Cleo was compromised, no internal safeguards were strong enough to stop the fallout. Once Cleo’s systems were breached, so was Hertz’s data.

This is where the absence of Zero Trust principles became painfully evident. Zero Trust assumes that no data, system, or user, internal or external, should be trusted by default. Yet in this case, data flowing in from Cleo was treated as safe simply because it came from an “approved” vendor. There was no in-depth inspection or sanitization of files upon arrival. No second layer of defense. The doors were effectively left open.

Even more concerning, the response was reactive rather than proactive. When Hertz discovered the breach, the data had already been stolen and potentially distributed. The company did what many do post-incident: they notified customers, offered identity protection, and began working with regulators and forensic teams. But those steps, however responsible, are fundamentally after-the-fact. They do little to undo the exposure or restore trust.

This breach wasn’t just about a vulnerability in Cleo’s software but a breakdown in layered security. It showed how a trusted pathway can quickly become an attack vector if not continuously verified and controlled.

The Rise of File-Borne Threats in the Supply Chain

The Hertz breach is part of a growing trend: exfiltration-first ransomware, where attackers steal data for extortion instead of encrypting systems. What makes this especially dangerous is the delivery method—files. Documents, spreadsheets, and archives look harmless, especially from “trusted” vendors. But attackers now embed threats that evade traditional defenses.

Legacy tools aren’t enough. Antivirus relies on known signatures, sandboxing can miss delayed payloads, and DLP often generates noise without stopping the threat. As supply chains grow more complex and attackers continue exploiting these blind spots, one thing becomes clear: it’s not enough to react to malicious files. We need to neutralize them before they reach the endpoint.

Proactive Protection with Content Disarm and Reconstruction (CDR)

The solution to file-borne threats isn’t more alerts or stricter firewalls. It’s a shift in mindset. That’s where solutions like Content Disarm and Reconstruction (CDR) come in. Unlike traditional security tools that try to detect malicious files based on known indicators, CDR takes a radically different approach: it assumes every file is potentially dangerous. Instead of playing catch-up with evolving threats, it proactively strips out risky elements.

At Votiro, we take this even further with our Advanced CDR, which uses patented Positive Selection® technology—a smarter, faster evolution of traditional CDR—to leave files safe AND fully functional. Rather than simply remove or block malicious content, we rebuild each file from scratch using only verified-safe components, including essential macros. 

The result? Clean, fully usable files (including embedded objects and password-protection) that are delivered in just milliseconds. Plus, Votiro CDR supports over 200 file types, including complex and compressed formats, without generating false positives or disrupting productivity.

Had this technology been in place at Hertz, the story could have ended differently. The malicious files exfiltrated via Cleo would have been sanitized in real time, long before they reached Hertz’s internal systems. Macros, shellcode, and embedded exploits—gone. No blocking. No quarantining. No delays.

The Final Word: Don’t Wait for a Breach to Reveal the Gaps

Trusted vendors can and increasingly do become silent entry points for cyberattacks. That’s why CDR is no longer just a “nice to have.” It fills a critical gap in modern security by treating every file as suspicious, regardless of its source. It closes the visibility gap that traditional tools miss and protects customer data before it becomes breach fodder.

The Hertz breach is a clear reminder that supply chain security is fragile, and prevention is the only true defense. Explore how Votiro can secure your files before they become a liability. Book a demo today to get started.