Compromised U-Haul Customer Contract Finder


U-Haul said attackers were able to compromise two individual passwords and gain access to the company’s customer contract tool, exposing customer names and driver’s license or state ID numbers. .

Attackers had unauthorized access from Nov. 5, 2021 through April 5, 2022, U-Haul said. After the flaw was discovered, U-Haul changed the affected passwords and launched an investigation, the company said on September 9.

“The investigation determined that an unauthorized person had accessed the customer contract search tool and certain customer contracts,” according to U-Haul’s notice of the cybersecurity incident. “None of our U-Haul financial, payment processing, or messaging systems were involved; access was limited to the customer contract finder.”

U-Haul password security removed

Experts like Sami Elhini, with Cerberus Sentinel, have analyzed U-Haul’s lack of password security.

“Ultimately, this is an identity management issue,” Elhini explained in an emailed statement. “Determining that you have a resolved identity based on successful one-factor authentication is not only blissfully ignorant, but also potentially civilly and criminally negligent.”

Lior Yaari, CEO of Grip Security, also withered in his assessment of U-Haul’s cybersecurity.

“The passwords compromised in this U-Haul attack were clearly not governed or protected properly,” Yaari said in an emailed statement. “There are likely other passwords that may have already been compromised that U-Haul and hundreds of other companies are unaware of and will not be aware of until another violation such as this to occur.”

Improved password protections

While the precise approach may vary from industry to industry and organization to organization, Yaari said the industry needs to stop repeating the same mistakes and rely on employees as an effective defense. against cyberattacks.

“Additional safeguards that companies take to prevent password compromise will likely fail, and this type of breach will happen again and again,” Yaari added. “Rather than adding more band-aids, the industry needs to adopt a new approach that removes the burden of securing employee passwords.”

Previous Georgia is fighting the opioid crisis through community programs and education – Jagwire
Next ABC would have found its Bachelor Season 27 Leading Man