HopSkipDrive says personal data of 155,000 drivers stolen in data breach

Student rideshare startup HopSkipDrive has confirmed a data breach involving the personal data of more than 155,000 drivers.

Los Angeles-based HopSkipDrive offers an Uber-style rideshare service for children and teenagers. The startup, which has raised at least $90 million since it was founded in 2014, partners with school districts to transport students who live outside traditional bus routes or need extra help getting to school.

In a filing with Maine’s attorney general last week, HopSkipDrive confirmed that it had experienced a cybersecurity incident in June that resulted in a data breach affecting 155,394 drivers. HopSkipDrive said the stolen data included names, email and postal addresses, driver license numbers and other non-driver identification card numbers.

HopSkipDrive spokesperson Campbell Millum told TechCrunch that those affected include “people who drive on our platform or who applied to drive on our platform.” Millum added that no employee or customer data was accessed in the breach.

The company confirmed to TechCrunch that it first discovered the breach on June 12, 2023, when it “discovered suspicious activity on certain third-party applications utilized by our organization.” The company declined to name the compromised applications.

In a letter sent to those affected, HopSkipDrive said it first became aware of the issue after receiving an email from an unknown threat actor.

When TechCrunch asked why it took the company months to notify affected drivers, HopSkipDrive's spokesperson rebuffed claims of a delay in the company's communications, adding that the company first notified affected individuals in the first week of July and has “continued communications since then.”

“We promptly launched an investigation, engaged experts to assist in assessing the scope of the incident, and took steps to mitigate the potential impact to our community,” the letter sent to affected drivers reads. “A third-party forensic investigation determined the incident occurred between May 31, 2023 and June 10, 2023.”

HopSkipDrive said it is “committed to strengthening our systems’ security to prevent a similar event from occurring again in the future,” but did not elaborate on what additional safeguards it is implementing.

TechCrunch asked HopSkipDrive, whose leadership page does not list a chief security officer, if it has a company executive dedicated to handling cybersecurity at the company. HopSkipDrive said it has “information security experts on both our legal and our technology teams."