U-Haul stated attackers have been in a position to compromise two particular person passwords and entry the corporate’s buyer contract device, exposing buyer names and driver’s license or state identification numbers.
Attackers had unauthorized entry from Nov. 5, 2021, to April 5, 2022, U-Haul stated. As soon as the breach was found, U-Haul modified the affected passwords and launched an investigation, the corporate defined on Sept. 9.
“The investigation decided an unauthorized particular person accessed the client contract search device and a few buyer contracts,” based on U-Haul’s discover of the cybersecurity incident. “None of our monetary, fee processing or U-Haul e mail programs have been concerned; the entry was restricted to the client contract search device.”
U-Haul’s Password Safety Panned
Specialists like Sami Elhini, with Cerberus Sentinel, panned U-Haul’s lack of password safety.
“In the end, that is an id administration subject,” Elhini defined in an emailed assertion. “Figuring out you’ve a resolved id based mostly on a profitable one-factor authentication just isn’t solely blissfully ignorant, but additionally doubtlessly civilly and criminally negligent.”
Lior Yaari, CEO of Grip Safety was additionally withering in his evaluation of U-Haul’s cybersecurity.
“The passwords compromised on this U-Haul assault have been clearly not ruled or protected correctly,” Yaari stated in an emailed assertion. “There are most likely different passwords which will have already been compromised that U-Haul, and tons of of different corporations, are unaware of and won’t change into conscious of, till one other breach like this happens.”
Enhancing Password Protections
Whereas the exact strategy may very throughout sectors and organizations, Yaari stated the trade must cease repeating the identical errors and counting on staff as an efficient protection towards cyberattack.
“The extra safeguards corporations take to forestall password compromise will seemingly fail, and this sort of breach will probably be repeated time and again,” Yaari added. “Relatively than including extra Band-Aids, the trade must take a contemporary strategy that removes the burden of securing passwords from staff.”
