[toss1]

Last time I rented a U-Haul, they asked to see my driver's license as expected - then took a picture of the front and back to store in their systems.

I did not like the taking a picture of the entire license at all, but was stuck.

I had full expectation that a non-tech company like U-Hual would be fully incompetent to properly store such a trove of identity information, and here it is - crackers wandering around in their system for six months, and they "have no evidence" of further intrusion, meaning they don't even have the logs to verify or the capability to read the logs, so they actually have no evidence that other data was not accessed (absence of evidence is not evidence of absence)...

I'll sure as hell be avoiding UHaul if at all possible in the future...

[giraffe_lady]

Why would you expect a tech company to do a better job securing this information? I've worked for both kinds quite a bit at this point and don't really see any trends either way other than "most don't really care and there usually aren't consequences so why would they" and that's universal.

[delaynomore]

>I had full expectation that a non-tech company like U-Hual would be fully incompetent to properly store such a trove of identity information,

Why would a tech company be any better at handling data securely? More engineers doesn't mean better security.

[toss1]

>>Why would a tech company be any better at handling data securely? More engineers doesn't mean better security.

True, it is not a necessary relationship.

My assumption is that a company with technological founders and strong engineering contingent has at least a FEW people who have at least encountered issues of digital and network security before - someone who might raise a flag here and there. So, a slightly greater likelihood of some responsible decisions.

But for non-tech companies, the general attitude I've seen is hostility to whatever IT they have, whether outsourced or insourced, as it is a cost center and generally seen as the scapegoat for whatever inconvenience happens related to any tech, and either wholesale ignorance or active misunderstanding of tech issues.

So, when a responsible and knowledgeable engineer brings up the idea of "maybe it isn't a good idea to store all this info, or at least we should get expertise on how to handle it..." it seems that the likelihood of getting an actively hostile response is higher.

That said, there are plenty of sociopathic execs flocking to run tech companies who will even more actively seek to harvest maximum customer data and 'screw 'em if we leak or sell their stuff'.

So, maybe a minimally effective assumption.

[petsfed]

My last experience with U-Haul (October 2021 to March 2022) is indeed my last experience with them.

Over and above the standard incompetence stemming from franchisees somehow working against an umbrella organization for scheduling, pickup, dropoff, etc they somehow superimposed somebody else's data (including DL, name, address, last 4 of credit card) onto our reservation. This meant that when they couldn't contact the (wrong) phone number to confirm scheduled drop off of equipment, they just canceled it. This in turn delayed the whole move by a day, since our local office couldn't re-dispatch on the same day, because ... reasons? Honestly, I wouldn't be surprised if this security incident was in fact just their own lousy database implementation leaving things exposed.

The entire moving industry seems built on the understanding that, regardless of what the law says, the customer is entrusting the entirety of their earthly possessions to this industry they (hopefully) engage with once a decade or more. Every aspect of the process has this thinly veiled extortive quality to it. I'm really not sure how to engineer that out. There's little real recourse, as there are few frequent repeat customers to "just take their money elsewhere".

[jstarfish]

> This in turn delayed the whole move by a day, since our local office couldn't re-dispatch on the same day, because ... reasons? Honestly, I wouldn't be surprised if this security incident was in fact just their own lousy database implementation leaving things exposed.

From experience with a franchise whose business model had to account for network outage/unavailability (in rural areas, during natural disasters, etc.), given your mention of a 24h delay I'd speculate that U-Haul might have a similar system in place-- an on-site database that synchronizes with the remote during overnight batch processing.

[j-bos]

Someone mentioned (and deleted) it'd be better to make friends with someone who has access to a box truck. My + two cents:

This feels like valuable advice across multiple industries.

Big companies have no one's name attached, not the way people do. So the price of a convenient box truck is playing by their rules, submitting id, and trusting them to take care of their responsiblities. If they don't then, no one is responsible or truly looks bad. No single relationship is broken. So no great incentive on their part to care. Meanwhile, friends, or even paid acquaintances, have no incentive to squeeze past at most some cash or favor. And if they squeeze to hard they, as a person will face social consequences (sociopaths exempt, to a degree).