Hertz, a well-known car rental company, has inadvertently exposed over 60,000 insurance claim reports.
This breach has raised serious concerns about the company’s data security practices and left customers questioning the safety of their personal information.
Discovery of the Breach
The breach came to light when a customer received an unexpected email from Hertz regarding a rental record for a vehicle damaged.
The email appeared legitimate, with the correct domain and professional formatting. However, it contained a suspicious link leading to an unfamiliar site, htzra.com, which was later identified as a phishing site.
Upon further investigation, it was revealed that this site was collecting sensitive information through a form disguised as an accident report submission.
Vulnerability Exploited
The root cause of this data exposure was a classic access control vulnerability known as Indirect Object Reference.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
This flaw allowed unauthorized users to access other customers’ accident reports simply by altering the URL.
The exposed reports contained personal information such as names, addresses, phone numbers, and ages of the affected individuals. Fortunately, only a small percentage of these reports included more detailed information.
Response and Mitigation
Upon discovering the breach, cybersecurity firm Adversis reported the issue to Hertz. The company swiftly shut down the compromised domain and restricted access to the leaked information.
According to a timeline provided by Adversis, the breach was identified and reported on September 5, 2024, and by September 13, 2024, CERT confirmed that the domain was no longer accessible.
Hertz has since issued a statement acknowledging the breach and assuring customers that it is taking steps to enhance its security measures.
They have also contacted affected customers to inform them of the incident and provide guidance on protecting their personal information.
This incident has highlighted significant vulnerabilities in Hertz’s data handling practices and underscores the importance of robust cybersecurity measures in protecting customer information.
Customers are advised to remain vigilant for suspicious communications and monitor their accounts for unusual activity.
Some customers may consider opting for companies with established bug bounty programs or stronger security protocols for future rentals.
This breach reminds us of the potential risks associated with sharing personal information online and the need for companies to prioritize data protection.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial