Education Transport and Ride Share Organization Updates on 155k Breach
Table of Contents
- By Steven
- Feb 05, 2024
HopSkipDrive is an education solution that assists guardians with their unique transportation needs; from planning bus logistics to utilizing live ride-share options, HopSkipDrive is a family’s best resource for education transportation. In July 2023, HopSkipDrive received an email from an unknown actor, allegedly claiming that assailants exfiltrated information during a cyber attack. HopSkipDrive opened an internal review and recently published an update to the incident—the update includes over 155k people as potentially impacted by the incident.
How Did the Attack Occur?
Despite HopSkipDrive’s update on impact figures, there remain unclear elements of the event itself. The consumer notice published with the Maine Attorney General’s update filing lists no details about the attack or how the assailants made it happen. It only says that an unauthorized actor emailed them with the claim of having HopSkipDrive’s breached data—which later investigations discovered to be true. The email supposedly implied that the assailants made the breach possible through a third-party application used by HopSkipDrive; however, they have not confirmed which application this may have been.
What Information Was Viewed or Stolen?
According to the details made public by the Maine Attorney General breach filing, the data compromised in this event is mainly identifying. Information exposures differ between individuals, but all have an increased risk of fraud and impersonation. Based on the consumer notice, victims’ names, mailing addresses, and email addresses have been compromised. In contrast, the filing notice also lists driver’s license numbers and government-issued IDs. Further, due to the sample consumer notice, some victims can have additional exposures, including financial and personal details.
How Did HopSkipDrive Admit to the Breach?
The forensic investigation into the event determined that the assailants accessed the data environment around May 31st, 2023. Over the next week, the bad actors remained within the system, presumably collecting data. A month later, around July 25th, the presumed assailants emailed their findings to HopSkipDrive, potentially trying to extort the organization. Since then, officials have worked to notify impacted parties. Official impact notices have been sent out in waves, beginning around November 14th, December 11th, and January 10th, 2024.
What Will Become of the Stolen Information?
Data stolen in this event is at risk for misuse by the thieves who exfiltrated it. They could use it any time for extortion or impersonations; they could sell it on the dark web in bulk or single files. The data could resurface years from now in connection with fraudulent accounts or be used later this week for a credential-stuffing event. All this goes to say, now that the information has been exposed—concealing it again may be challenging; however, victims must act.
What Should Affected Parties Do in the Aftermath of the Breach?
Some of the exposed information is public knowledge—like names and mailing addresses—but emails and ID numbers are sensitive data. Victims must take steps to secure their accounts, including making unique passwords, implementing multi-factor authentications, and using one-time tokens whenever possible. They must also scrutinize any statements from organizations, from EoBs to monthly statements. If there is any suspicious activity in the documents, they must show it to an organization official. HopSkipDrive’s attack may have happened over six months ago, but victims still have time to protect their data from misuse.