Two Industry Giants Report Breaches in September
U-Haul International, a leader in the moving and storage industry, reported a breach after Labor Day that involved their servers. The breach involved a customer contract search tool on the company’s website thanks to the compromise of two unique passwords. It is believed that external threat actors attained access to customer rental contracts through the tool between November 5th, 2021, and April 5th, 2022. While the company has clearly stated that no credit card information was exposed in the attack, customer names, driver’s licenses and other forms of identification were exposed. The company began notifying customers who may have been affected by mail on September 9th. U-Haul previously experienced a breach back in 2017 when the network of one of its rental affiliates was accessed by an unauthorized party.
|IDENTIFY INDICATORS OF COMPROMISE (IOC)|
Both incidents were confirmed by an internal investigation conducted by the respective companies but neither has stated how they initially discovered the breach.
|CONTAINMENT (If IoCs are identified)|
A U-Haul spokesperson says that the company is currently augmenting their security measures and introducing additional security safeguards and controls to better secure the search tools on their website. The company confirms that all search tools are safe and that their website is fully operational. U-Haul is offering identity theft protection through Equifax to all affected customers for one year at no charge.
The password requirements for accounts associated with a service or application should be far more stringent than those used to secure user accounts. The U.S. National Institute of Standards and Technology (NIST) recommends creating long passphrases that incorporate up to 64 characters rather than dictionary words. Each service, application, or privileged account should be secured by a unique password. Passwords should also be stored in an encrypted format. While NIST no longer recommends that standard users change their passwords, this is not the case for passwords protecting privileged assets or accounts as these passwords should be changed according to an enforced schedule. For user credentials, organizations should supplement password protection with multifactor authentication (MFA) systems. Although texting has proven highly popular in recent years, security firms now recommend the use of an authenticator app instead as they are offer greater security and reliability. Password policies should be in place that outline the specific steps to take for employees that leave the company for one reason or another. Users should be encouraged to use password managers that will automatically generate strong, unique passwords for each online account they have, while only requiring users remember only one password to access the manager itself.
You can strengthen your Incident Response Readiness (IRR) to prepare for an attack. A security assessment will help identify areas of risk and opportunities for improvement to prevent or limit the impact of a successful malware attack.