U-Haul Customer Contract Search Tool Compromised

Password compromise led to unauthorized access to a customer contract search tool over a five-month window, according to the company.

2 Min Read
U-Haul trucks on a lot for rent
Source: Lars Hagberg via Alamy Stock Photo

U-Haul said attackers were able to compromise two individual passwords and access the company's customer contract tool, exposing customer names and driver's license or state identification numbers.

Attackers had unauthorized access from Nov. 5, 2021, to April 5, 2022, U-Haul said. Once the breach was discovered, U-Haul changed the affected passwords and launched an investigation, the company explained on Sept. 9.

"The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts," according to U-Haul's notice of the cybersecurity incident. "None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool."

U-Haul's Password Security Panned

Experts like Sami Elhini, with Cerberus Sentinel, panned U-Haul's lack of password security.

"Ultimately, this is an identity management issue," Elhini explained in an emailed statement. "Determining you have a resolved identity based on a successful one-factor authentication is not only blissfully ignorant, but also potentially civilly and criminally negligent."

Lior Yaari, CEO of Grip Security was also withering in his assessment of U-Haul's cybersecurity.

"The passwords compromised in this U-Haul attack were clearly not governed or protected properly," Yaari said in an emailed statement. "There are probably other passwords that may have already been compromised that U-Haul, and hundreds of other companies, are unaware of and will not become aware of, until another breach like this occurs.”  

Improving Password Protections

While the precise approach might very across sectors and organizations, Yaari said the industry needs to stop repeating the same mistakes and relying on employees as an effective defense against cyberattack.

"The additional safeguards companies take to prevent password compromise will likely fail, and this type of breach will be repeated over and over again," Yaari added. "Rather than adding more Band-Aids, the industry needs to take a fresh approach that removes the burden of securing passwords from employees."

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights