U-Haul Discloses Data Breach Exposing Customer Driver Licenses
Moving and storage giant U-Haul International (U-Haul) disclosed a data breach after a customer contract search tool was hacked to access customers’ names and driver’s license information.
As the company revealed notification letters sent to impacted individuals on Friday, it discovered on August 1, following an incident investigation, attackers accessed some customers’ rental contracts between November 5, 2021, and April 5, 2022.
“After an in-depth analysis, our investigation determined on September 7, 2022, the accessed information includes your name and driver’s license or state identification number,” U-Haul told affected customers.
The attacker accessed the U-Haul rental contracts search portal after compromising two “unique passwords.”
While the company didn’t explain how the credentials were compromised, it changed them after the breach was detected to block additional malicious activity.
No credit card info accessed by attackers
U-Haul added that no credit card information was accessed or acquired during the incident because the compromised search tool does not provide users with access to payment card information.
“The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts,” the moving giant added.
“None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool.”
U-Haul says it provides affected customers one year of free identity theft protection services through Equifax to help them detect when or if their personal information is misused.
The American moving truck, trailer, and self-storage rental company has a network of more than 23,000 locations across the U.S. and Canada.
It operates a fleet of roughly 186,000 trucks, 128,000 trailers, and 46,000 towing devices and is the third largest self-storage operator in North America.
A U-Haul spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.