Amerco, the parent company of moving and storage rental U-Haul, recently disclosed a data breach due to an unauthorized identity having access to an undefined number of rental contracts. Although it is unclear how many clients were impacted by the attack, their credit card information, the company claimed, appears safe.
According to a report by the company, the offender had access to the clients’ names, driver’s licenses (and the data on them, such as physical addresses and dates of birth), and state identification numbers.
U-Haul data breach explained
On September 9, 2022, U-Haul notified the affected customers about a possible data breach. In the notice letter, the American moving supplier stated that two unique passwords were used to access customers’ contract details. A search tool was also used to access contracts for U-Haul customers.
We detected a compromise of two unique passwords that were used to access a customer contract search tool that allows access to rental contracts for U-Haul customers. The search tool cannot access payment card information; no credit card information was accessed or acquired,” the report stated.
With the aid of outside cybersecurity specialists, the company launched an investigation, concluding that some rental contracts were accessed between November 5, 2021, and April 5, 2022. Evidently, on September 7, the investigation concluded, and a few days later, the notices were sent to affected customers.
However, despite the involvement of cybersecurity specialists, the data breach notice and the complaint didn’t explain how the passwords that allowed access to the search tool’s functionality were hacked. The company claims that no financial information, payment processing, or email systems were impacted, and U-Haul continues to follow standard working procedures. Its parent company, Amerco, also ensured customers that the event did not majorly affect its business and financial position.
U-Haul will strengthen its security protocols
Post the incident, U-Haul stated that it would enhance the security measures and add more security controls and protections against these types of attacks. It also claimed to add new standards for the Search features that were the main target of the threat actor.
Moreover, the company aims to provide affected customers with complimentary identity theft protection services through Equifax for an entire year. The data protection service seems to be made more than ten months after the breach incident and five months after it was reportedly discovered.
The customer information obtained or breached could have been utilized inappropriately. According to reports, at least one class action law firm is urging those who may have been impacted to contact them to discuss “possible legal remedies.”