When Hertz suffered a data breach through its managed file transfer system, the headlines focused on the technical details: two zero-day vulnerabilities, remote code execution, and stolen data.
We’re not here to blame Hertz; no company is immune to cyberattacks, and zero-days by nature are nearly impossible to prevent.
But for executives, the story isn’t just about the attack vector; it’s about accountability. This breach highlights an uncomfortable truth: even if the initial compromise happens through a vendor or a “never-before-seen” vulnerability, your customers, partners, and regulators won’t care about the technical excuses. They’ll look at you.
Because at the end of the day, you’re accountable for customer data protection, no matter where the failure occurs.
The Attack Vector: Zero-Days in a Vendor System
The attackers exploited two zero-day vulnerabilities in Hertz’s managed file transfer solution, gaining the ability to execute remote code and move laterally across systems. While zero-days are nearly impossible to predict, this incident reinforces a reality every leader must face: you cannot prevent every vulnerability.
What you can control is how you prepare, respond, and mitigate the damage when those vulnerabilities are exploited. Preparation means assuming that a breach is not a matter of “if” but “when,” and building layered defenses accordingly. Response means having a well-rehearsed incident response plan, one that involves not just IT, but legal, communications, and executive leadership. And mitigation means ensuring that, if attackers do get in, the blast radius is limited: encryption covers both data in transit and at rest, access is segmented, and monitoring tools are tuned to catch unusual behavior before it snowballs.
Executives don’t need to be vulnerability experts, but they do need to ensure their organizations are resilient enough to withstand the vulnerabilities that inevitably slip through.
The Preventable Factor: Encryption Blind Spots
Hertz did have encryption in place, and data was secured during transmission. But once inside, attackers found sensitive data sitting unencrypted at rest. That’s where the real damage occurred.
This is a critical lesson: partial encryption strategies create a dangerous illusion of safety. Protecting data only in transit isn’t enough. Executives must ensure encryption policies extend end-to-end, from transfer to storage, and are verified through audits and penetration testing.
Key Leadership Lessons
1. Vendor Security Failures Don’t Absolve You
It’s tempting to point the finger at a third-party provider when something goes wrong. But regulators, courts, and the public won’t distinguish between your failure and your vendor’s failure.
Your due diligence must go beyond contracts and SLAs. You need a process to evaluate how vendors secure data, respond to vulnerabilities, and monitor their own third-party risk. We call this vendor due diligence.
2. Encrypt Data at Rest and in Transit
Encryption can’t be treated as a “checkbox” compliance measure. If attackers gain access to your system, unencrypted data at rest becomes an open door. C-suite leaders should mandate end-to-end encryption strategies and regular validation through external security assessments.
3. Zero-Day Vulnerabilities Are Inevitable
The Hertz breach underscores that zero-days are a fact of life. Your job isn’t to eliminate them, it’s to build resilience. That means having incident response plans tested and rehearsed, clear escalation paths, and crisis communications ready before an attack ever happens.
4. Due Diligence Must Include Vendor Security Posture
It’s no longer enough to ask if your vendor is “compliant.” You need to dig deeper:
- How do they monitor for new vulnerabilities?
- How often do they perform penetration testing?
- What’s their encryption policy for data at rest?
- How do they validate incident response readiness?
If you don’t know the answers, you’re not doing due diligence; you’re accepting blind risk.
The Bottom Line: Accountability Lives With You
The Hertz breach offers a clear reminder: responsibility for customer data doesn’t stop at your firewall. Whether it’s a zero-day exploit, a vendor misconfiguration, or an overlooked encryption gap, your organization is accountable.
For C-suite leaders, the path forward is clear:
- Treat vendor security as an extension of your own.
- Demand end-to-end encryption.
- Build response strategies that assume compromise will happen.
- Ask tougher questions, and require proof, not promises.
Cybersecurity isn’t just an IT function. It’s a leadership imperative. And in the eyes of your customers and regulators, there’s no outsourcing accountability.
For C-Suite Leaders
When was the last time you challenged your vendors on their security practices? What specific proof do you require to validate their controls, and how confident are you that “we’re fine” isn’t the most dangerous assumption you’re making today?
If you are ready for your penetration test, contact us today.
