Last week, the moving and rental company U-Haul started sending out letters to customers alerting them about a recent data breach. Bleeping Computer reports that U-Haul discovered the breach earlier this summer. The company found that attackers hacked a search tool that contained the names and driver’s license information of customers.
U-Haul data breach exposes customer info
According to U-Haul, an investigation began on July 12 following the discovery of the breach. On August 12, the U-Haul investigators found that hackers accessed “some rental contracts” between November 5, 2021, and April 5, 2022.
Here is U-Haul’s full explanation for what happened and what data was accessed:
We detected a compromise of two unique passwords that were used to access a customer contract search tool that allows access to rental contracts for U-Haul customers. The search tool cannot access payment card information; no credit card information was accessed or acquired. Upon identifying the compromised passwords, we promptly changed the passwords to prevent any further unauthorized access to the search tool and started an investigation. Cybersecurity experts were engaged to identify the contracts and data that were involved. The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts. None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool.
All things considered, the hackers didn’t do much damage. They didn’t steal any credit card numbers or accounts. Taking a page from other companies, U-Haul is offering any affected customers one year of Equifax identity theft protection services for free.
“We sincerely apologize for that. Please know we are working diligently to further augment our security measures to guard against such incidents and implementing additional security safeguards and controls on the search tool,” U-Haul added in its letter.
In recent years, data breaches such as this have become increasingly common. In 2021, both T-Mobile and LinkedIn suffered serious breaches that exposed personal data.