HopSkipDrive, a prominent education transport and ride-share organization, faced a substantial cybersecurity incident in July 2023, when an unknown actor claimed to have exfiltrated data during a cyber attack. The organization initiated an internal review, leading to the recent publication of an update on the incident. The disclosure indicates that over 155k people are potentially affected, shedding light on the severity of the breach. Despite the update, certain details about the attack remain unclear, as the consumer notice lacks specific information about the methods employed by the assailants. The breach exposed a range of sensitive information, including names, addresses, email addresses, driver’s license numbers, and government-issued IDs. The compromised data poses an increased risk of fraud and impersonation for the victims.
The forensic investigation into the incident unveiled that the attackers accessed HopSkipDrive’s data environment around May 31st, 2023, remaining within the system for a week, presumably collecting data. The assailants later sent an email to HopSkipDrive on July 25th, potentially attempting extortion. Impact notices have been officially issued in waves, starting in November 2023 and continuing into January 2024. The stolen information is at risk of misuse, from potential extortion to being sold on the dark web. Victims are urged to take immediate steps to secure their accounts, including creating unique passwords, implementing multi-factor authentication, and vigilant monitoring of statements for any suspicious activity.
