An American moving truck, trailer, and self-storage rental company U-Haul has disclosed a data breach activity in their systems performed by an unknown group. The threat actors were able to compromise the personal information of the company’s customers.

U-Haul said an unauthorized person obtained some rental contracts between November 5, 2021, and April 5, 2022. After that, the company went on a detailed investigation and found that the information included names, driver’s licenses, or state identification numbers. In a notification to its customers, U-Haul unveiled further about the incident.

The company informed that an unknown threat actor compromised two unique passwords which allowed the person to access its rental contracts for U-Haul customers. By utilizing those passwords, the actor has managed to reach and use the contract search tool in the systems.

According to the company's statement, the search tool cannot access payment card information; no credit card information was compromised. As soon as the incident was detected, the compromised passwords were changed to rule out any further unauthorized entry. U-Haul said;

« The search tool cannot access payment card information; no credit card information was accessed or acquired. Upon identifying the compromised passwords, we promptly changed the passwords to prevent any further unauthorized access to the search tool and started an investigation. »

U-Haul’s stated that an internal technical team started an investigation into the incident with external cybersecurity experts in partnership to identify any accessed contracts and impacted customers. The company also offered its affected customers one year of free identity theft protection services, provided by Equifax.