U-Haul has started informing customers that a hacker used stolen account credentials to access an internal system for dealers and team members to track customer reservations.
The breach exposed customer records that include personal information but payment details have not been impacted.
U-Haul is an American company that rents moving equipment and storage space for ‘do-it-yourself’ customer needs. It offers trucks, trailers, and other equipment and services for moving household goods.
The firm has been operational since 1945, has a staff of 19,500, and has an annual revenue of over $4.5 billion.
Yesterday, U-Haul began emailing customers whose data was accessed without authorization in the cyberattack.
“U-Haul learned on December 5, 2023, that legitimate credentials were used by an unauthorized party to access a system U-Haul Dealers and Team Members use to track customer reservations and view customer records,” - U-Haul
“The investigation identified specific customer records that were accessed, including one of your records,” the company says in the notification to customers.
The data types that have been exposed in these customer records include full names, dates of birth, and driver’s license numbers.
U-Haul clarified that the breached system is not part of their payment system, so hackers could not access payment card data.
The company says it has reset passwords for all affected accounts as a precaution and implemented additional security safeguards and controls to prevent similar incidents from occurring in the future.
Recipients of the data breach notification will receive a one-year identity theft protection service with instructions on how to enroll enclosed in the letters.
U-Haul has not determined how many customers have been exposed in this case.
BleepingComputer has contacted U-Haul to learn more about the data breach and its scope of impact, but a comment wasn’t immediately available. Also, the company’s website was offline at the time of writing this.
In September 2022, U-Haul disclosed another data breach, saying that attackers had accessed customer rental contracts between November 2021 and April 2022.
In that case too, the hackers used two compromised account credentials to access U-Haul’s internal portal.
Update 2/23 - A U-Haul spokesperson told BleepingComputer that the data breach impacts 67,000 customers from the U.S. and Canada.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now