Hertz Data Breach

On April 19, 2024, Hertz disclosed a data breach tied to its third party service provider, Cleo Communications, which exposed personally identifiable information of customers—including driver’s license numbers, contact details, and financial data. The incident, detailed in Hertz’s official notice, underscores a persistent and escalating issue: the fragility of the third-party ecosystem in data protection and operational continuity.

Cleo Communications—a file transfer service used by Hertz—experienced unauthorized access to its systems. Although the breach occurred outside Hertz’s core environment, the impact was direct and widespread, with customer trust, data privacy, and regulatory exposure all at stake.

As digital ecosystems grow more interconnected, vendors, subcontractors, and cloud platforms become high-value targets. A single weak link can cascade into full-scale operational or reputational damage.

This breach perfectly illustrates why Third-Party Risk Management must be treated as a strategic pillar—not just a compliance function. In my recent presentations and research, I emphasize that TPRM failures are rarely about a single control gap—they’re about systemic oversight breakdowns in supply chain governance, assurance, and monitoring.

Here’s what organizations should be doing now to strengthen their TPRM programs:

Map Supply Chain Dependencies

Know who your vendors are, what systems they access, and how their failures impact your operations.

Categorize Vendors by Risk Level

Don’t treat all third parties the same. Tailor security and privacy expectations based on service criticality.

Demand Evidence-Based Assessments

Don’t rely on checkbox surveys. Require up-to-date SOC2 reports, ISO mappings, and verifiable control implementation proof.

Mandate Continuous Monitoring

Risk doesn’t stop after onboarding. Regular reassessments, audits, and security control validation are essential—especially with critical vendors.

Integrate Specific Security, Continuity & Privacy Clauses into Contracts

Contracts should specify mandatory controls, breach notification windows, right-to-audit provisions, and penalties for non-compliance.

Leverage Frameworks Like DORA, NIS2, and GDPR

These regulatory frameworks already define supply chain requirements—embed them into your TPRM lifecycle.

Ensure Auditability Across Your Supply Chain

Whether through internal audit, third party assessment, or runtime tooling—visibility is the only path to resilience.

A data breach caused by a third-party is still your breach. Security, privacy, and operational continuity must be owned collectively—and enforced contractually—across your ecosystem.

Link

Author: Sebastian Burgemejster