Amerco, the parent company of moving and storage rental U-Haul, recently disclosed a data breach due to an unauthorized identity having access to an undefined number of rental contracts. Although it is unclear how many clients were impacted by the attack, their credit card information, the company claimed, appears safe.
According to a report by the company, the offender had access to the clients’ names, driver’s licenses (and the data on them, such as physical addresses and dates of birth), and state identification numbers.
On September 9, 2022, U-Haul notified the affected customers about a possible data breach. In the notice letter, the American moving supplier stated that two unique passwords were used to access customers’ contract details. A search tool was also used to access contracts for U-Haul customers.
We detected a compromise of two unique passwords that were used to access a customer contract search tool that allows access to rental contracts for U-Haul customers. The search tool cannot access payment card information; no credit card information was accessed or acquired,” the report stated.
With the aid of outside cybersecurity specialists, the company launched an investigation, concluding that some rental contracts were accessed between November 5, 2021, and April 5, 2022. Evidently, on September 7, the investigation concluded, and a few days later, the notices were sent to affected customers.
However, despite the involvement of cybersecurity specialists, the data breach notice and the complaint didn’t explain how the passwords that allowed access to the search tool’s functionality were hacked. The company claims that no financial information, payment processing, or email systems were impacted, and U-Haul continues to follow standard working procedures. Its parent company, Amerco, also ensured customers that the event did not majorly affect its business and financial position.
Post the incident, U-Haul stated that it would enhance the security measures and add more security controls and protections against these types of attacks. It also claimed to add new standards for the Search features that were the main target of the threat actor.
Moreover, the company aims to provide affected customers with complimentary identity theft protection services through Equifax for an entire year. The data protection service seems to be made more than ten months after the breach incident and five months after it was reportedly discovered.
The customer information obtained or breached could have been utilized inappropriately. According to reports, at least one class action law firm is urging those who may have been impacted to contact them to discuss “possible legal remedies.”
AI fraud, deepfake probes, SME cyber warnings, and ransomware cases highlight rising global risks in this week’s Cyber Express roundup.
French national bank authority confirmed a major data breach affecting 1.2 million bank accounts after a malicious actor stole credentials…
The real success of AI will not only depend on how powerful the technology becomes, but on how safely, fairly,…
Israel data breach totals two petabytes, with phishing up 35% and cyber influence attacks rising 170%, says Yossi Karadi.
The UMMC cyberattack halted surgeries, closed clinics statewide and triggered a federal probe into potential patient data exposure.
ESET researchers discovered PromptSpy, the first known Android malware to integrate generative AI directly into its execution flow, marking a…
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More