U-Haul International Data Breach Class Action

U-Haul International, Inc. rents moving trucks, trailers, and self-storage space throughout the US. It uses the Internet extensively for its operations, including for reservations and payment processes, but the complaint for this class action alleges that the company failed to take adequate measures to protect the personally identifiable information (PII) it had in its systems for current and former customers.

The class for this action is all persons whose PII was maintained on U-Haul’s system that was compromised in the data breach, and who were sent a notice of the data breach.

The complaint quotes U-Haul’s Privacy Policy as saying, “We use commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your information and our systems.”

However, the Privacy Policy appears to be oddly casual about its ability to protect the information it is given. The policy is also quoted as saying, “We cannot, however, ensure or warrant the security of any information you transmit Us [sic] and you do so at your own risk. However, please note that this is not a guarantee that such information may not be accessed disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.”

However, the complaint does not agree that providing information to the company should be at the customer’s own risk: “By obtaining, collecting, using, and deriving a benefit from the PII of” its customers, it says, U-Haul “assumed legal and equitable duties to those individuals to protect and safeguard their information against unauthorized access and intrusion.”

The data breach appears to have taken place sometime between November 5, 2021 and April 5, 2022, according to U-Haul.

U-Haul learned that its systems had been breached on or before August 1, 2022, the complaint alleges, but only around September 9 began informing the Securities and Exchange Commission (SEC) and the individual victims.

The complaint quotes the company’s Notice of Recent Security Incident as saying, “We detected a compromise of two unique passwords that were used to access a customer contract search tool that allows access to rental contracts.” The Notice assures customers that “no credit card information was accessed or acquired.”

However, the complaint alleges that the hackers did manage to access names, dates of birth, and driver’s license or state identification numbers, and that the information was unencrypted. It claims that driver’s license numbers are very valuable to hackers and one of their most sought-after kinds of information.

According to the complaint, U-Haul bears responsibility for not properly protecting customers’ information. The complaint alleges that U-Haul’s annual report shows that it was quite aware of the risk of a data breach and the harm it could cause the company.

The complaint claims that U-Haul followed neither the Federal Trade Commission’s guidelines for business nor industry standards for protecting information.

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy