Hacker working on computer showing data breach exposed customer records

U-Haul Data Breach Leveraging Legitimate Passwords Exposed 67,000 Customer Records

American moving and self-storage rental company U-Haul has disclosed a data breach that exposed tens of thousands of customer records.

The Phoenix, Arizona-based company said in breach notification letters sent to impacted customers that the threat actor breached a records system used by employees and dealers.

Founded in 1945, U-Haul rents out moving equipment and self-storage spaces in over 23,000 locations in the United States and Canada. It manages over 66.7 million square feet of storage space, 192,200 trucks, 138,500 trailers, and 44,500 towing devices.

With a workforce of more than 30,000 employees, the company reported an annual revenue of $5.72B for the calendar year 2023.

U-Haul said the data breach resulted from compromised legitimate credentials, the second of its kind in less than two years.

U-Haul data breach exposed 67,000 customer records

A regulatory filing with the Office of the Maine Attorney General disclosed that the data breach involving legitimate credentials occurred between July 20 and October 2, 2023.

For over two months, the attacker discreetly accessed a customer records system used by dealers and employees before the company discovered the intrusion on December 5, 2023.

“U-Haul learned on December 5, 2023, that legitimate credentials were used by an unauthorized party to access a system U-Haul Dealers and Team Members use to track customer reservations and view customer records,” the company said.

Upon discovery, the moving company responded by initiating its incident response protocols and launching an investigation with an undisclosed external cybersecurity firm.

On December 6, 2023, the probe determined that the threat actor accessed personal data items, including the victims’ names, dates of birth, and driver’s license numbers.

However, U-Haul’s regulatory filing did not disclose the specific number of individuals impacted. The company later clarified that the data breach impacted 67,000 customers in the United States and Canada.

U-Haul also explained that the breached customer records system was not linked to the payment system. Thus, the data breach did not expose the victims’ payment information, including bank account details and debit or credit card numbers.

“The customer record system that was involved is not part of our payment system. No payment card data was involved,” the company said.

Nevertheless, the logistics company is offering data breach victims one year of free Experian IdentityWorks membership to protect them from identity theft.

U-Haul also did not disclose how the threat actor obtained legitimate credentials used to access the customer records system.

However, phishing, infostealer malware infections, and credential stuffing attacks are among the most common methods through which hackers obtain legitimate login credentials.

Meanwhile, the moving and self-storage rental company said it was implementing additional controls to prevent similar data security breaches in the future.

“To prevent something like this from happening again, U-Haul is taking steps to enhance its existing security measures, including changing passwords for affected accounts and implementing additional security safeguards and controls,” the company said.

Another U-Haul data breach leveraging legitimate credentials

Twice in less than two years, unauthorized individuals have exploited legitimate passwords to compromise U-Haul customer records.

“It seems that some companies still struggle to fix the basics of cyber security even if they have previously been victims,” said Darren James, a Senior Product Manager at Specops Software, an Outpost24 company. “U-Haul has once again hit the headlines today with news of a data breach caused by compromised credentials, the same reason for a data breach at U-Haul back in July 2022.”

In September 2022, the moving company said digital intruders compromised two legitimate passwords and accessed customer records spanning between November 2021 and April 2022. That data breach leaked sensitive personal information, including names and driver’s licenses or state identification numbers.

U-Haul is among numerous companies impacted by cyber attacks leveraging compromised legitimate credentials.

IBM’s X-Force Threat Intelligence Index 2024 report found that attacks leveraging legitimate credentials recorded a 71% year-over-year increase, underscoring the need for an additional layer of security in addition to strong passwords.

“This sort of attack likely could have been avoided by using phishing-resistant MFA,” said Roger Grimes, Data-Driven Defense Evangelist at KnowBe4. “Phishing-resistant MFA should be used by all companies to protect valuable data and systems.”