Student ride-sharing startup HopSkipDrive has confirmed a data breach involving the personal data of more than 155,000 drivers.
Los Angeles-based HopSkipDrive offers an Uber-style ride-sharing service for kids and teens. The startup, which has raised at least $90 million since its founding in 2014, partners with school districts to transport students who live off traditional bus routes or need extra help getting to school.
In a filing filed with Maine's attorney general last week, HopSkipDrive confirmed that it had experienced a cybersecurity incident in June that resulted in a data breach that affected 155,394 drivers. HopSkipDrive said the stolen data included names, postal and email addresses, driver's license numbers and other non-driver identification card numbers.
HopSkipDrive spokesperson Campbell Millum told TechCrunch that those affected include “people who drive on our platform or who requested to drive on our platform.” Millum added that no employee or customer data was accessed during the breach.
The company confirmed to TechCrunch that it first discovered the breach on June 12, 2023, when it “discovered suspicious activity in certain third-party applications used by our organization.” The company declined to name the compromised applications.
In a letter sent to those affected, HopSkipDrive said it first became aware of the issue after receiving an email from an unknown threat actor.
When TechCrunch asked why it took months for the company to notify affected drivers, HopSkipDrive's spokesperson rejected claims of a delay in company communications, adding that the company first notified affected people in the first week of July and has “continued communications since then.”
“We quickly launched an investigation, engaged experts to help us assess the scope of the incident, and took steps to mitigate the potential impact on our community,” reads the letter sent to affected drivers. “A third-party forensic investigation determined that the incident occurred between May 31, 2023 and June 10, 2023.”
HopSkipDrive said it is “committed to strengthening the security of our systems to prevent a similar event from occurring in the future,” but did not elaborate on what additional safeguards it is implementing.
TechCrunch asked HopSkipDrive, whose Leadership page does not include a security director, if you have a company executive dedicated to managing cybersecurity in the company. HopSkipDrive said it has “information security experts on both our legal team and our technology team.”