UHaul Data Breach
I just received this email a few days ago:
We are writing to inform you of an incident that involved some of your information. We are providing this notice to explain the incident and measures we have taken, and also to provide some steps you can take in response.
What Happened? We detected a compromise of two unique passwords that were used to access a customer contract search tool that allows access to rental contracts for U-Haul customers. The search tool cannot access payment card information; no credit card information was accessed or acquired. Upon identifying the compromised passwords, we promptly changed the passwords to prevent any further unauthorized access to the search tool and started an investigation. Cybersecurity experts were engaged to identify the contracts and data that were involved. The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts. None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool.
What Information Was Involved? On August 1, 2022, our investigation determined some rental contracts were accessed between November 5, 2021, and April 5, 2022. After an in-depth analysis, our investigation determined on September 7, 2022, the accessed information includes your name and driver's license or state identification number
Well its a nice email to wake up to.
The first time I ever rent a uHaul and my DL is leaked. >some rental contracts were accessed between November 5, 2021, and April 5, 2022 >None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool. So they were in U-Haul's network for 5 months, but U-Haul is dead sure they only got into a single system. I hate it when they phrase things in this overly confident way. I do believe they didn't see overt evidence that other systems were compromised, but that doesn't mean it didn't happen. Usually when they "found no evidence that other systems were compromised", they mean that their auditing and logging is so bad that they literally cannot tell ;-) hear no evil, see no evil, speak no evil To give them the benefit of the doubt, maybe those 2 compromised accounts were only able to access that tool. A more weasley sentence would be "Evidence so far has shown that the access was limited to the customer contract search tool.", or another company had something along the lines of "Evidence so far show that no sensitive customer information was compromised." Which can be PR talk for "We have no intrusion detection tools so we don't know what data they managed to extract". Last time I rented a U-Haul, they asked to see my driver's license as expected - then took a picture of the front and back to store in their systems. I did not like the taking a picture of the entire license at all, but was stuck. I had full expectation that a non-tech company like U-Hual would be fully incompetent to properly store such a trove of identity information, and here it is - crackers wandering around in their system for six months, and they "have no evidence" of further intrusion, meaning they don't even have the logs to verify or the capability to read the logs, so they actually have no evidence that other data was not accessed (absence of evidence is not evidence of absence)... I'll sure as hell be avoiding UHaul if at all possible in the future... Why would you expect a tech company to do a better job securing this information? I've worked for both kinds quite a bit at this point and don't really see any trends either way other than "most don't really care and there usually aren't consequences so why would they" and that's universal. >I had full expectation that a non-tech company like U-Hual would be fully incompetent to properly store such a trove of identity information, Why would a tech company be any better at handling data securely? More engineers doesn't mean better security. >>Why would a tech company be any better at handling data securely? More engineers doesn't mean better security. True, it is not a necessary relationship. My assumption is that a company with technological founders and strong engineering contingent has at least a FEW people who have at least encountered issues of digital and network security before - someone who might raise a flag here and there. So, a slightly greater likelihood of some responsible decisions. But for non-tech companies, the general attitude I've seen is hostility to whatever IT they have, whether outsourced or insourced, as it is a cost center and generally seen as the scapegoat for whatever inconvenience happens related to any tech, and either wholesale ignorance or active misunderstanding of tech issues. So, when a responsible and knowledgeable engineer brings up the idea of "maybe it isn't a good idea to store all this info, or at least we should get expertise on how to handle it..." it seems that the likelihood of getting an actively hostile response is higher. That said, there are plenty of sociopathic execs flocking to run tech companies who will even more actively seek to harvest maximum customer data and 'screw 'em if we leak or sell their stuff'. So, maybe a minimally effective assumption. My last experience with U-Haul (October 2021 to March 2022) is indeed my last experience with them. Over and above the standard incompetence stemming from franchisees somehow working against an umbrella organization for scheduling, pickup, dropoff, etc they somehow superimposed somebody else's data (including DL, name, address, last 4 of credit card) onto our reservation. This meant that when they couldn't contact the (wrong) phone number to confirm scheduled drop off of equipment, they just canceled it. This in turn delayed the whole move by a day, since our local office couldn't re-dispatch on the same day, because ... reasons? Honestly, I wouldn't be surprised if this security incident was in fact just their own lousy database implementation leaving things exposed. The entire moving industry seems built on the understanding that, regardless of what the law says, the customer is entrusting the entirety of their earthly possessions to this industry they (hopefully) engage with once a decade or more. Every aspect of the process has this thinly veiled extortive quality to it. I'm really not sure how to engineer that out. There's little real recourse, as there are few frequent repeat customers to "just take their money elsewhere". > This in turn delayed the whole move by a day, since our local office couldn't re-dispatch on the same day, because ... reasons? Honestly, I wouldn't be surprised if this security incident was in fact just their own lousy database implementation leaving things exposed. From experience with a franchise whose business model had to account for network outage/unavailability (in rural areas, during natural disasters, etc.), given your mention of a 24h delay I'd speculate that U-Haul might have a similar system in place-- an on-site database that synchronizes with the remote during overnight batch processing. Someone mentioned (and deleted) it'd be better to make friends with someone who has access to a box truck.
My + two cents: This feels like valuable advice across multiple industries. Big companies have no one's name attached, not the way people do. So the price of a convenient box truck is playing by their rules, submitting id, and trusting them to take care of their responsiblities. If they don't then, no one is responsible or truly looks bad. No single relationship is broken. So no great incentive on their part to care.
Meanwhile, friends, or even paid acquaintances, have no incentive to squeeze past at most some cash or favor. And if they squeeze to hard they, as a person will face social consequences (sociopaths exempt, to a degree). Same thing happened to me.
I care MUCH less about my credit card being leaked then the picture & details of my Drivers License being out there.
Last time I give them any money. Also happened to me but my experience at that time was so bad that I'd never use them again anyway. Aside from issues with my reservation, they charged my card ~$2500 3 months_after_ I had returned the trailer I rented. Claimed it was returned late and to an entirely different state. Luckily I am a receipt hoarder and had all the evidence that I returned it on time. Unluckily though it took _weeks_ to get my money back from UHaul and several calls to hassle them about getting it fixed. UHaul not even once. I understand that sentiment, but IT Security seems to be at a point where it's unmanageable...especially for non-tech companies. I don't see how a CEO would reasonably assess the state of their IT security. Who would you trust to give an accurate state, remediation plan, etc? There's so many ways to do it wrong and so many different opinions, directions, etc. It feels like even those that throw lots of money at it get mediocre improvements in security but with notable hits to productivity. In other words, I think there's very few non-tech companies that aren't in the same spot as U-Haul. And probably quite a few highly technical companies also...witness Uber's recent issues. If it were me, which it wasn't, I'd be looking for the rentals being made by a certain white supremacist group that likes to use U-Hauls to transport their masked goons around the country. Uhaul is such a dumpster of a Dino company it Wouldn’t surprise me if they secured everything with “password”. I hate them with a passion