Milberg Files U-Haul Data Breach Class Action Lawsuit
by Brian Eckert
Milberg Coleman Bryson Phillips Grossman (“Milberg”) has filed a lawsuit in response to a large data breach affecting the customer contracts of storage and rental company U-Haul. The U-Haul data breach class action lawsuit claims that U-Haul failed to secure the personal data of its customers. It seeks to remedy the harms suffered by victims of the cyberattack.
If you have ever done business with U-Haul and your information was compromised in the attack, you may be automatically eligible to participate in this lawsuit.
2.2 Million U-Haul Customer Records Breached
U-Haul’s ubiquitous moving trucks are found across the United States and Canada. The Phoenix-based company operates a fleet of 186,000 trucks, 128,000 trailers, and 46,000 towing devices, as well as 825,000 rental storage units.
The personal information of 2.2 million U-Haul customers was compromised in the data breach.
The world’s largest do-it-yourself rental operation tells its customers “your privacy is important to us” and that it uses “commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your Information and our systems.”
U-Haul, however, failed to honor these words when it suffered a data breach that went undetected for five months and resulted in millions of customer records being compromised. It has not given an explanation for why it took so long to discover the security breach.
U-Haul reports that on August 1, 2022 it determined that the rental contracts of some customers were accessed between November 5, 2021 and April 5, 2022. Although it does not publicly disclose in this security update the number of impacted customers, a company spokesperson confirmed to Fox Business that the number is 2.2 million.
In response to the data breach, U-Haul is offering affected consumers one year of identify theft protection services through Equifax.
Data Breach Victims Face Heightened Risk of Identity Theft
According to U-Haul, cybercriminals using “two unique passwords” were able to access customer rental contracts, resulting in the unauthorized disclosure of names and driver’s license or state identification numbers. While U-Haul told customers that “no credit card information was accessed or acquired,” this is not as assuring as it might sound.
Unlike credit card numbers, which can be cancelled and changed with a single phone call, the personally identifiable information (PII) compromised in the U-Haul data breach is difficult or impossible to change. Cybersecurity expert Martin Walter of RedSeal says that PII like a person’s driver’s license number, name, and date of birth is worth 10x more than credit card information on the black market. PII may be sold on the dark web for $40 to $200, while a stolen credit or debit card number might sell for $5 to $10 on the dark web, reports Experian.
Defendant could have prevented this Data Breach by properly securing and encrypting the files and file servers containing the PII of Plaintiff and Class Members, alleges Milberg’s lawsuit.
Alone or in combination with other PII, a stolen driver’s license number can be used by nefarious parties to, among other things, apply for credit cards and financial loans, open bank accounts, obtain a phone number, file tax returns, access online accounts, and engage in phishing and other scams.
Given the value of the PII stored in U-Haul systems to criminals, and the increasing frequency of cyberattacks in recent years, U-Haul knew—or should have known—the importance of robust cybersecurity measures. But Milberg’s lawsuit alleges that U-Haul did not even encrypt customer PII on its network.
“Defendant could have prevented this Data Breach by properly securing and encrypting the files and file servers containing the PII of Plaintiff and Class Members,” states the complaint. “Despite the prevalence of public announcements of data breach and data security compromises, Defendant failed to take appropriate steps to protect the PII of Plaintiff and Class Members from being compromised.”
Lead Plaintiff and Proposed Class
The plaintiff in the U-Haul class action lawsuit had his PII compromised in the data breach. He claims that U-Haul has downplayed the theft of his personal data and not offered him adequate compensation.
On behalf of himself and the class, the plaintiff seeks damages for the loss of value of stolen PII, out-of-pocket expenses incurred to deal with the PII theft, loss of time and opportunity costs related to mitigation of the data breach consequences, and the ongoing risk of identity theft. Anyone who meets the following definition could be included as a lawsuit class member:
All persons U-Haul International, N.A. identified as being among those individuals impacted by the Data Breach, including all who were sent a notice of the Data Breach.
Eligible class members do not have to hire a lawyer or pay any legal fees. Class action attorneys for Milberg are representing all members in this action on a contingency basis. We are one of the top consumer protection firms in the country, with a strong and proud history of data breach litigation.
If you believe your consumer rights were violated, contact us to speak with a lawyer.