U-Haul mentioned attackers have been capable of compromise two particular person passwords and entry the corporate’s buyer contract software, exposing buyer names and driver’s license or state identification numbers.
Attackers had unauthorized entry from Nov. 5, 2021, to April 5, 2022, U-Haul mentioned. As soon as the breach was found, U-Haul modified the affected passwords and launched an investigation, the corporate defined on Sept. 9.
“The investigation decided an unauthorized individual accessed the client contract search software and a few buyer contracts,” in accordance with U-Haul’s discover of the cybersecurity incident. “None of our monetary, fee processing or U-Haul e mail methods have been concerned; the entry was restricted to the client contract search software.”
U-Haul’s Password Safety Panned
Specialists like Sami Elhini, with Cerberus Sentinel, panned U-Haul’s lack of password safety.
“Finally, that is an identification administration subject,” Elhini defined in an emailed assertion. “Figuring out you’ve gotten a resolved identification primarily based on a profitable one-factor authentication is just not solely blissfully ignorant, but in addition probably civilly and criminally negligent.”
Lior Yaari, CEO of Grip Safety was additionally withering in his evaluation of U-Haul’s cybersecurity.
“The passwords compromised on this U-Haul assault have been clearly not ruled or protected correctly,” Yaari mentioned in an emailed assertion. “There are most likely different passwords that will have already been compromised that U-Haul, and a whole bunch of different corporations, are unaware of and won’t grow to be conscious of, till one other breach like this happens.”
Enhancing Password Protections
Whereas the exact strategy would possibly very throughout sectors and organizations, Yaari mentioned the business must cease repeating the identical errors and counting on staff as an efficient protection towards cyberattack.
“The extra safeguards corporations take to forestall password compromise will seemingly fail, and one of these breach will probably be repeated over and over,” Yaari added. “Moderately than including extra Band-Aids, the business must take a recent strategy that removes the burden of securing passwords from staff.”