5-month U-Haul breach leaked driver’s licenses, IDs of customers

Popular moving truck service U-Haul began sending out breach notification letters to customers last Friday after discovering hackers had been inside their system for more than five months.

In the notice shared by the company and the letters sent to victims, the company said names, driver’s license and state identification numbers were viewed and potentially stolen by hackers who had access to rental contracts from November 5, 2021 to April 5, 2022. U-Haul said its security team identified the breach on July 12.

“We detected a compromise of two unique passwords that were used to access a customer contract search tool that allows access to rental contracts for U-Haul customers,” the company said, adding that the search tool cannot be used to access credit card information.

“Upon identifying the compromised passwords, we promptly changed the passwords to prevent any further unauthorized access to the search tool and started an investigation," it added. "Cybersecurity experts were engaged to identify the contracts and data that were involved. The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts.”

A spokesperson for the company did not respond to a list of questions sent by The Record asking how many customers were affected and where most of the victims were located. The breach did not involve U-Haul email systems or any payment processing tools, the company said.

U-Haul determined that the rental contracts were accessed on August 1 but waited until the completion of another investigation on September 7 to move forward with sending breach notification letters. The company did not respond to questions about the month between when they realized the contracts were accessed and when they decided to notify victims. 

The company said it would be providing victims with one year of free identity theft protection services through Equifax. 

U-Haul says it handles 2 million one-way U-Haul truck customer transactions annually and operates in all 50 states as well as 10 provinces in Canada through its more than 23,000 U-Haul truck- and trailer-sharing locations. The company has about 176,000 trucks, 126,000 trailers, 46,000 towing devices, 825,000 rentable storage units and 71.6 million square feet of self-storage space. 

This is not U-Haul’s first breach. In 2017, the company notified customers of an incident where a California U-Haul dealer was hit with malware that targeted payment card information.