Student rideshare startup HopSkipDrive has confirmed a data breach involving the personal data of more than 155,000 drivers.
Los Angeles-based HopSkipDrive offers an Uber-style ride-sharing service for kids and teens. The startup, which has raised at least $90 million since it was founded in 2014, works with school districts to transport students who live outside traditional bus routes or need extra help getting to school.
In a filing with the Maine attorney general last week, HopSkipDrive confirmed that it had experienced a cyber security incident in June which led to a data breach affecting 155,394 drivers. HopSkipDrive said the stolen data included names, email and mailing addresses, driver’s license numbers and other non-driver ID card numbers.
HopSkipDrive spokesperson Campbell Millum told TechCrunch that those affected include “people who drive on our platform or who have applied to drive on our platform.” Millum added that no employee or customer data was accessed during the breach.
The company confirmed to TechCrunch that it first discovered the breach on June 12, 2023, when it “discovered suspicious activity in certain third-party applications used by our organization.” The company declined to name the compromised apps.
In a letter sent to those affected, HopSkipDrive said it first became aware of the issue after receiving an email from an unknown threat actor.
When TechCrunch asked why it took months for the company to notify affected drivers, a HopSkipDrive spokesperson dismissed claims of a delay in the company’s communications, adding that the company first notified affected individuals in the first week of July and is “continuing to communications since then.”
“We immediately launched an investigation, hired experts to help assess the extent of the incident and took steps to mitigate the potential impact on our community,” the letter sent to affected drivers states. “A third-party forensic investigation determined that the incident occurred between May 31, 2023 and June 10, 2023.”
HopSkipDrive said it is “committed to strengthening the security of our systems to prevent a similar incident from happening again in the future,” but did not specify what additional safeguards it has in place.
TechCrunch asked HopSkipDrive, whose The leadership page does not list a chief security officer, if it has a company executive dedicated to handling cybersecurity in the company. HopSkipDrive said it has “information security experts on both our legal and technology teams.”
