Cyber Incident Victim: U-Haul International
Date:
Apr 2022
Location:
United States of America
Summary
U-Haul International experienced a data breach where attackers compromised two unique passwords to access a customer contract search tool, exposing names and driver's license or state identification numbers from rental contracts over several months. The unauthorized access was limited to the search tool, with no impact on financial systems, payment processing, email services, or credit card information. Following detection, the company changed the compromised credentials, engaged cybersecurity experts for investigation, and offered affected customers one year of identity theft protection services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early July 2022, U-Haul International detected unauthorized access to its customer contract search tool, prompting an immediate investigation launched on July 12. The investigation revealed that attackers had compromised two unique passwords to infiltrate the tool between November 5, 2021, and April 5, 2022—a five-month exposure window. This search portal allowed access to rental contracts containing customer names and driver's license or state identification numbers, but did not provide access to credit card data or financial systems. Upon discovering the password compromise, U-Haul reset the credentials to block further unauthorized activity and engaged cybersecurity experts to analyze the breach scope. By August 1, investigators confirmed that rental contracts during the five-month period had been accessed, though the company waited until completing additional analysis on September 7 to finalize impact details. The breach exclusively affected the contract search tool, leaving email systems, payment processing platforms, and customer-facing websites untouched.
U-Haul began notifying impacted customers on September 9, 2022, disclosing that attackers potentially obtained sensitive personally identifiable information but no financial data. The company emphasized business operations remained unaffected and offered affected individuals one year of complimentary identity theft protection services through Equifax. Internal response measures included implementing additional security controls on the search tool and enhancing safeguards to prevent recurrence. While the exact number of affected customers wasn't disclosed, U-Haul confirmed the breach's geographic scope aligned with its operational footprint across 23,000 locations in the U.S. and Canada. This marked U-Haul's second significant security incident following a 2017 breach involving payment card malware at a California dealership. The investigation found no evidence of continued unauthorized access after password remediation in July.