[tyingq]

>some rental contracts were accessed between November 5, 2021, and April 5, 2022

>None of our financial, payment processing or U-Haul email systems were involved; the access was limited to the customer contract search tool.

So they were in U-Haul's network for 5 months, but U-Haul is dead sure they only got into a single system.

I hate it when they phrase things in this overly confident way. I do believe they didn't see overt evidence that other systems were compromised, but that doesn't mean it didn't happen.

[prottog]

Usually when they "found no evidence that other systems were compromised", they mean that their auditing and logging is so bad that they literally cannot tell ;-)

[nisegami]

hear no evil, see no evil, speak no evil

[netsharc]

To give them the benefit of the doubt, maybe those 2 compromised accounts were only able to access that tool.

A more weasley sentence would be "Evidence so far has shown that the access was limited to the customer contract search tool.", or another company had something along the lines of "Evidence so far show that no sensitive customer information was compromised."

Which can be PR talk for "We have no intrusion detection tools so we don't know what data they managed to extract".