U-Haul Says Customer Data Accessed Using Compromised Credentials

Moving and storage giant U-Haul has started informing customers of a data breach impacting some of their personal information.

On Friday, U-Haul began sending notification letters to potentially impacted customers to inform them that compromised credentials were used to access some of their data without authorization.

“We detected a compromise of two unique passwords that were used to access a customer contract search tool that allows access to rental contracts for U-Haul customers,” reads a notification letter sample that U-Haul submitted to the Montana Attorney General.

The search tool, the company says, does not store payment card information, meaning that no credit card details were exposed in the incident.

However, the unauthorized party was able to access customer names, driver’s license numbers, or state identification numbers.

Between November 5, 2021, and April 5, 2022, the attackers accessed some rental contracts, the company says, without providing information on the number of impacted customers.

“None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool,” U-Haul says.

SecurityWeek has emailed U-Haul for additional information on the incident and will update this article as soon as a reply arrives.

With a fleet of hundreds of thousands of trucks, trailers, and towing devices, U-Haul has a network of more than 23,000 locations across North America.

Related: Samsung US Says Customer Data Compromised in July Data Breach

Related: Ransomware Gang Claims Customer Data Stolen in TAP Air Portugal Hack

Related: Authorities Seize Online Marketplace for Stolen Credentials

Related: OneTouchPoint Discloses Data Breach Impacting Over 30 Healthcare Firms