Security Update

U-Haul detected a compromise of two unique passwords that were used to access a customer contract search tool. We are providing this notice to explain the incident and measures we have taken in response.

What Happened?

We detected a compromise of two unique passwords that were used to access a customer contract search tool that allows access to rental contracts for U-Haul customers. The search tool cannot access payment card information; no credit card information was accessed or acquired. Upon identifying the compromised passwords, we promptly changed the passwords to prevent any further unauthorized access and started an investigation. Cybersecurity experts were engaged to identify the contracts and customers that were involved. The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts. None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool.

What Information Was Involved?

On August 1, 2022, our investigation determined some rental contracts were accessed between November 5, 2021, and April 5, 2022, that contained names and driver's license numbers of some customers.

What Are We Doing?

In response to the incident, we have taken steps to prevent a similar incident in the future and are implementing additional security safeguards and controls on the search tool. We are notifying impacted customers and offering them identity theft protection services.

What You Can Do.

We encourage impacted customers to remain vigilant by reviewing account statements and credit reports for any unauthorized activity.

For More Information.

If you have any questions, please review our FAQs below.

Frequently Asked Questions

What happened?

U-Haul discovered that two unique passwords were compromised and used to access a customer contract search tool. It is important to note that this incident was limited to the customer contract search tool and did not involve U-Haul Company's payment processing systems, email, internal corporate network, or any customer facing websites. Upon discovery, we took immediate steps to augment our security measures to guard against such incidents and implemented additional safeguards and controls for accessing the customer contract search tool.
When did this happen?

On July 12, 2022, we identified two unique passwords were compromised and used to access our customer contract search tool. We promptly changed the passwords and began an investigation. On August 1, 2022, our investigation determined some customer contracts were accessed between November 5, 2021, and April 5, 2022. After an in-depth analysis, on September 7, 2022, we identified the individuals whose information was involved.
What has U-Haul done thus far to resolve the issue?
- Upon discovery, we changed the passwords and implemented additional safeguards and controls for accessing the search tool.
- Based on our investigation and remediation of the incident, we are confident there is no further risk to our systems and the data contained within. It is safe to conduct business with our company.
- We worked with our internal technical team and external cybersecurity experts to identify the contracts and customers involved. We then worked to provide notice to affected customers as soon as possible.
- We look forward to turning the page on this incident. In line with that commitment, we’re continuing to work with our teams to identify opportunities to enhance our existing cybersecurity defenses moving forward.
Was any customer data compromised as part of this incident?

Yes, some customer data was accessed by an unauthorized individual. We are providing notice to affected customers. The type of information that was involved includes names, dates of birth and driver's license numbers.
Is it safe to email and communicate with my usual company contact?

Yes, U-Haul email and customer facing websites were not affected by this incident. We want to assure you that it is safe to conduct business with our company and there has been no impact to business operations.
How could something like this have happened?

Customer privacy is a priority at U-Haul. Unfortunately, we are not immune from the risk of cybercrime confronting all companies. Criminals are constantly learning and becoming more dangerous; changing tactics to defeat security safeguards of companies of every size and industry. Upon discovery of the incident, we began working diligently to investigate the scope of the incident and identify individuals whose information may have been involved. We also implemented additional security safeguards to bolster our existing cybersecurity defenses. We are committed to fortifying our defense systems and adding to our preemptive controls to thwart future attempts by criminals who seek to harm our customers.
How will I know if my data was impacted?

If your contract was accessed and included your name and driver's license number, you will receive a notice about this incident. If you do not receive a letter from us, your name and driver's license number were not involved.
What is U-Haul offering to impacted individuals?

We are offering any customer whose name and driver's license number was involved a complimentary membership to credit monitoring and identity protection services from Equifax.
How long do I have to activate the credit monitoring service?

Your activation code is good until December 31, 2022.
How long does the credit monitoring service last?

The credit monitoring service will last one year following activation.

Back
To Top