The American moving and storage rental company U-Haul disclosed a data breach that exposed customer data. U-Haul started an investigation on July 12 and concluded on August 1st that the hackers accessed customers’ information between November 5, 2021, and April 5, 2022.
On September 9, the moving and storage company began sending data breach notification letters to the affected customers. Additionally, U-Hall responded by engaging cybersecurity experts to determine the nature of the compromised contractual data.
With more than 23,000 locations in 50 states in the United States and ten provinces in Canada, U-Haul North America’s operation involves a fleet of 128,000 trailers, 186,000 trucks, and 46,000 towing devices. U-Haul also operates 825,000 rental storage units, making it the third-largest storage space provider in North America.
U-Haul Data breach exposed customer data for rental contracts
The Phoenix, Arizona-based transport and storage company disclosed that the data breach allowed unauthorized access to rental contracts for U-Haul, including the customer names, driver’s license, or state identification numbers.
U-Haul traced the data breach to a contract search tool that allows access to rental contracts for U-Haul customers. However, the customer data breach did not expose any payment card information since the tool does not access that information.
“Often we focus more intently on data breaches involving exposure of financial information, assuming that because they deal with monetary information they are more damaging and news-worthy. However, sensitive information includes non-payment information too, such as personally identifiable information (PII) which exposes peoples’ true identities. This type of information is critical to highly detrimental activities such as identity theft, which usually winds up negatively affecting people financially anyway,” noted Erfan Shadabi, a cybersecurity expert at Comforte AG.
The moving company did not disclose the number of impacted customers, although a spokesperson confirmed to Fox Business that the number is 2.2 million.
U-Haul also disclosed that the customer data breach did not affect its financial, payment processing, email systems, or business operations. The company’s internal networks or customer-facing applications were also not affected.
“Based on our investigation and remediation of the incident, we are confident there is no further risk to our systems and the data contained within,” the company explained. “It is safe to conduct business with our company.”
Breach resulted from password compromise
U-Haul has not identified the threat actor responsible, although it disclosed that they compromised two unique passwords. Investigators did not explain how the threat actors obtained those passwords but said they reset them shortly after the intrusion.
“Upon identifying the compromised passwords, we promptly changed the passwords to prevent any further unauthorized access to the search tool and started an investigation,” the company said.
According to Sami Elhini, senior product manager at Cerberus Sentinel, such cybersecurity incidents highlight the importance of multifactor authentication in protecting customer data.
“Access to sensitive information should never be protected solely with passwords, regardless of password complexity,” Elhini added. “Ultimately, this is an identity management issue.”
Customers should remain vigilant of potential identity theft
Meanwhile, the moving company offered one year of free identity theft protection through Experian credit monitoring services. Impacted customers can also freely obtain credit reports from any credit services nationwide annually.
Additionally, customers should remain vigilant for potential identity theft attempts by monitoring their financial statements, credit reports, and account activity.
The latest data breach is the second major cybersecurity incident to hit the moving company in almost five years. In 2017, U-Haul notified its customers of a malware incident affecting one of its independent dealers, Solo Tire, in Orange, California. The malware potentially compromised credit card information and other rental information. That incident leaked the payment card number and expiration date and personally identifiable information such as the customer’s name, address, phone number, email address, driver’s license number, and birth date.