U-Haul International, Inc. Files Notice of Data Breach After Two Passwords Were Compromised

Console and Associates, P.C.

On September 9, 2022, U-Haul International, Inc. reported a data breach with several state attorneys general offices after the company learned that two passwords were compromised, allowing an unauthorized party access to the company’s contract search tool. According to U-Haul, the breach resulted in the names and driver’s license numbers or state identification numbers of certain individuals being compromised. After confirming the breach and identifying all affected parties, U-Haul International began sending out data breach letters to all consumers impacted by the data security incident. While the total number of people affected by the Uhaul breach remains unknown, the company has confirmed that the incident impacted the personal information of 5,568 people in Montana alone.

What We Know About the U-Haul International Data Breach

The information about the U-Haul International, Inc. data breach comes from the company’s official filings with the Montana Attorney General. According to this source, UHaul recently learned that two unique passwords that granted access to the company’s contact search tool were compromised. Upon learning of the compromised passwords, UHaul changed the passwords and began working with cybersecurity professionals to investigate the incident.

As a result of this investigation, U-Haul confirmed that an unauthorized party obtained the compromised passwords and accessed the contract search tool. On August 1, 2022, the company determined that the unauthorized access began on November 5, 2021, and lasted until April 5, 2022.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, U-Haul International began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. The company’s review of the affected data was completed on September 7, 2022. While the breached information varies depending on the individual, it may include your name and driver’s license number or state identification number.

On September 9, 2022, U-Haul International sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. Uhaul has not yet confirmed how many people across the country were affected by the breach; however, based on the company’s filing with the Montana Attorney General’s office, there were 5,568 victims in Montana alone.

More Information About U-Haul International, Inc.

Founded in 1945, U-Haul International, Inc. is a moving equipment, truck, and storage rental company based in Phoenix, Arizona. The company focuses on the “do-it-yourself movers, providing them with all equipment and material needed to move. U-Haul has more than 17,000 dealers across the United States. U-Haul is owned by AMERCO, a publicly traded holding company that also operates Amerco Real Estate, RepWest Insurance Company, and Oxford Life Insurance Company. U-Haul is publicly traded on the NASDAQ stock exchange under the ticker symbol “UHAL.” U-Haul International employs more than 19,500 people and generates approximately $4 million in annual revenue.

How Do Hackers Obtain Sensitive Employee Passwords?

U-Haul explains in its data breach letter that the recently announced data breach was the result of an unauthorized party gaining access to two sensitive passwords. However, one fact the company left out is how the unauthorized party came into possession of passwords that were supposed to be kept secure.

There are a few ways that hackers or other cybercriminals looking to steal consumer information can access employee passwords. However, most often, these attacks involve email phishing attacks.

Phishing is a type of cyberattack in which a hacker sends an email from a seemingly legitimate source to an employee of an organization. These emails are well designed and look very much like official emails; for example, they may contain company logos and come from a very similar identical domain name. In the email, the hacker relies on principles of social engineering to trick an employee into giving them the information they are looking for.

Most often, hackers either include a simple request for information or include a malicious link that, when clicked, takes the employee to a totally unrelated website that, again, appears legitimate. In some cases, hackers will attach malicious files to an email, asking the employee to download the file.

Phishing emails are incredibly common. In fact, according to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing. Companies can prevent phishing attacks, however, by training employees to be on the lookout for these fraudulent emails.

There are, of course, other ways that a bad actor can obtain sensitive company passwords. For example, someone from within the company could have intentionally leaked the password to a third party. Notably, Uhaul has not yet confirmed how the unauthorized party gained access to the company’s contract search tool; however, data breach lawyers are currently reviewing the Uhaul data breach in hopes of learning more about the incident so that they can advise affected customers about their potential right to pursue a data breach class action lawsuit.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the U-Haul International data breach, please see our recent piece on the topic here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.


  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide