One of the country’s largest self-storage operators has been hit by a major data breach.

Last week U-Haul notified affected customers of the incident, informing them that their names and driver’s license information had been compromised. The company said in the letter to customers that credit card information was not accessed by the hacker.

A company representative confirmed with FOX Business that as many as 2.2 million customer records were affected. The moving and storage company has more than 23,000 locations throughout North America. It is ranked the 5th largest self-storage operator by Inside Self Storage.

Inside the hack

The company first discovered signs of a breach on July 12, and concluded an initial investigation on August 1. The investigation found that hackers accessed rental contracts dated November 5, 2021 through April 05, 2022.

“The investigation determined an unauthorized person accessed the customer contract search tool and some customer contracts. None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool,” the letter to customers stated.

According to tech news site Bleeping Computer, the hacker gained access to the rental contracts search portal by compromising two unique passwords—which have since been changed by U-Haul.

Exactly how the passwords were cracked was not disclosed by the company. One possible way that hackers could have gained access is through a phishing attack. Phishing is among the most used methods cybercriminals use to obtain passwords and infiltrate corporate data records. In such an attack, the hacker tricks a legitimate user into inputting their password into a fake website designed to look official. A link to the fake site is often sent by e-mail, with the sender impersonating someone the victim knows and trusts.

In the letter to customers, signed by U-Haul President John Taylor, the company said it was working to augment its security measures to prevent such incidents from occurring in the future. In response, the company is providing each affected customer with identify theft monitoring through Equifax for one year.

Alexander Harris