U-Haul International Hit with Class Action Over Alleged Failure to Prevent Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims that U-Haul International’s failure to properly secure its customers’ personally identifiable information resulted in a months-long data breach.

According to the 35-page lawsuit, the moving truck, trailer, and self-storage rental company did not use reasonable security procedures to protect its customers’ unencrypted data, which allowed an unauthorized actor accessed a customer contract search tool between November 5, 2021, and April 5, 2022. The case alleges that the compromised information included former and current customers’ names, dates of birth, and driver’s license or state identification numbers.

As the suit tells it, U-Haul “knew or should have known” that its computer systems were a target for “ferociously aggressive” cybersecurity attacks, especially in light of precautionary reports that were made easily accessible by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and ZDNet in the years leading up to the data breach.

Despite these warnings, U-Haul continued to store unencrypted information in an internet-accessible environment, the case contends.

Per the complaint, U-Haul’s privacy policy states that the company will use “commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security” of its customers’ private information. The case alleges that by failing to take appropriate action to maintain consumer confidentiality, U-Haul has breached its contractual promise to protect its customers’ data.

Additionally, the suit contends that U-Haul learned of the data breach on August 1, 2022, but did not notify its customers or the proper authorities until September 9, 2022. U-Haul has also failed to share “the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure a breach does not occur again,” the suit alleges.

The lawsuit argues that third parties may use consumers’ personally identifiable information for targeted advertising. Worse yet, the case contends that cybercriminals can put the compromised data up for sale on the dark web, where stolen identity credentials are in high demand.

The complaint alleges that the data breach victims now face a lifetime risk of identity theft, as well as “years of constant surveillance of their financial and personal records,” “anxiety, emotional distress, loss of privacy,” and potential economic losses from fraud and abuse. The case also stresses that consequential fraudulent activities may not transpire for years.

The lawsuit looks to cover all individuals whose personally identifiable information was compromised in the U-Haul International data breach that is the subject of the notice sent to victims by U-Haul on or around September 9, 2022.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.