Abby Grifno
U-Haul just confirmed a large data breach.
What happened
Recently, U-Haul confirmed a data breach that impacted approximately 67,000 customers throughout the United States and Canada. According to a court filing, the breach occurred between July 20th and October 2nd. U-Haul discovered the event on December 5th, 2023, and began notifying consumers on February 22nd, 2024.
For affected customers, U-Haul officials believe that impacted data may include names, dates of birth, and driver’s license numbers or identification cards. U-Haul stated that no payment information was accessed, as that information is held in a different system from other U-Haul information.
Going deeper
According to U-Haul’s notice of a data breach, U-Haul determined that the breach occurred from an unauthorized party using legitimate credentials. Using existing credentials, the malicious actor could access a system used by U-Haul Deals and Team Members that allows employees to track customer reservations and view customer records.
Once U-Haul discovered the breach, the company responded swiftly to enhance its security measures. The company is offering free identity monitoring services to impacted users for one year. In the letter, U-Haul provided further suggestions for fraud alerts, as well as credit and security freezes.
What was said
The letter from U-Haul was signed by Scott Van Sande, the Director of Data Privacy and Security at U-Haul. Van Sande said, “We take the privacy of information under our care very seriously. To help prevent a similar incident in the future, we have and will continue to take steps to enhance security measures, including changing passwords for affected accounts and implementing additional security safeguards and controls.”
Why it matters
U-Haul is fortunate that its systems are not all connected, which likely prevented the malicious actors from gaining access to payment information or other data. While it’s unclear how the actors gained access to authentic credentials, it’s possible that credentials weren’t following the highest standards of security as outlined by NIST.
A 2023 survey revealed that it’s fairly common for employees to let security protocols slide, which could include their credentials.
Read more: New survey reveals gap in cybersecurity implementation
The big picture
Every company should consider potential risks and vulnerabilities that could lead to data breaches. A recent report revealed that most data breaches are caused by improper disposal, theft, unauthorized access/disclosure, and hacking or IT-related incidents.
Healthcare organizations, in particular, have an obligation to keep data safe and secure. Email is one of the biggest targets, and a breach can result in significant financial and legal implications, on top of the time it may take to resolve the breach.
Read more: HIPAA Compliant Email: The Definitive Guide
