U-Haul said attackers were able to compromise two individual passwords and access the company's customer contract tool, exposing customer names and driver's license or state identification numbers.

Attackers had unauthorized access from Nov. 5, 2021, to April 5, 2022, U-Haul said. Once the breach was discovered, U-Haul changed the affected passwords and launched an investigation, the company explained on Sept. 9.

"The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts," according to U-Haul's notice of the cybersecurity incident. "None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool."

U-Haul's Password Security Panned

Experts like Sami Elhini, with Cerberus Sentinel, panned U-Haul's lack of password security.

"Ultimately, this is an identity management issue," Elhini explained in an emailed statement. "Determining you have a resolved identity based on a successful one-factor authentication is not only blissfully ignorant, but also potentially civilly and criminally negligent."

Lior Yaari, CEO of Grip Security was also withering in his assessment of U-Haul's cybersecurity.

"The passwords compromised in this U-Haul attack were clearly not governed or protected properly," Yaari said in an emailed statement. "There are probably other passwords that may have already been compromised that U-Haul, and hundreds of other companies, are unaware of and will not become aware of, until another breach like this occurs.”  

Improving Password Protections

While the precise approach might very across sectors and organizations, Yaari said the industry needs to stop repeating the same mistakes and relying on employees as an effective defense against cyberattack.

"The additional safeguards companies take to prevent password compromise will likely fail, and this type of breach will be repeated over and over again," Yaari added. "Rather than adding more Band-Aids, the industry needs to take a fresh approach that removes the burden of securing passwords from employees."