Following an investigation of the cyber incident, the company reportedly experienced a compromise of two unique passwords used for their company’s IT network. Though it wasn’t clear how the unauthorized actor or actors gained access to the passwords, they were able to access a rental contract search tool, allowing the perusal of customer information. U-Haul also clarified that no credit card or other financial information was obtained by the hackers.
Unique Passwords Were Compromised
Phoenix-based U-Haul International Inc. is one of the U.S.’s largest truck rental, moving, and self-storage companies, and has over 23,000 locations across the US and Canada. The company commands a fleet of hundreds of thousands of vehicles. A consumer notification letter posted online by U-Haul on Friday, Sept. 9, 2022, confirmed that the moving colossus suffered a breach connected to its internal company network. An as-of-yet unknown individual or individuals gained unauthorized access to a “customer contract search tool that allows access to rental contracts for U-Haul customers,” the company said. An in-depth investigation into the suspicious activity began on Aug. 1, 2022, and culminated on Sept. 7, 2022, confirming a breach of “some rental contracts,” the company said. Upon confirmation of the unauthorized access with cybersecurity experts, it was confirmed that customers’ names, driver’s licenses, and/or state identification numbers were accessed by unknown actors. The company said it changed the compromised passwords shortly thereafter.
No Payment Data Stolen
U-Haul noted that the information accessed by hackers was limited to personally identifiable information, and did not contain any credit card numbers or any other financial data. “None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool,” the company noted. The company is working on implementing additional security measures and controls on its internal systems, particularly regarding the compromised search tool. U-Haul is also offering one year of complimentary Equifax customer identity theft protection service for the affected customers.
How Do Companies Get Hacked?
There is no public information at this time detailing exactly how the unknown actor or actors breached U-Haul’s company systems to gain access to their unique passwords. Though experts can only speculate at this point, past examples of breaches on a massive scale can offer some insight. One of the most common occurrences finds employees compromised through targeted phishing schemes — email scams designed to trick victims into entering their login information on a fraudulent page. Businesses are becoming increasingly susceptible to social engineering scams as well, which can make a phishing ploy far more believable. For example, tech giant Twitter’s IT infrastructure was targeted in such an attack, where hackers called employees, posing as Help Desk agents, and redirected them to fraudulent sites to enter credentials. Once bad actors had the login information, they were able to overtake celebrity social media accounts and run a brazen cryptocurrency scam. Digital identity theft is also a looming issue for those who have had their information exposed — even giants like PayPal have fallen victim. Most recently, a leak affected the food delivery platform DoorDash following the hack of a third-party vendor. With malicious actors always looking to take advantage of personal data, it’s a good idea to protect yourself against digital identity theft with a product such as LifeLock — which you can read all about in our full guide to identity theft.