Bus transportation company Schmitty and Sons yesterday confirmed it notified 3,985 people of a May 2024 data breach that compromised private personal information.
Ransomware group LockBit claimed responsibility for the attack on May 21, 2024 and posted images of the allegedly stolen data.
Schmitty and Sons has not verified LockBit’s claim. Schmitty and Sons has not publicly disclosed what data was compromised, but it is offering victims 12 months of free credit monitoring and identity theft restoration via IDX. That implies the compromised data could be used for identity theft.
The company’s notice (PDF) to victims states, “On May 11, 2024, Schmitty & Sons experienced a network disruption. We immediately took steps to secure our network environment and engaged cybersecurity experts to conduct an investigation to determine what happened. The investigation determined that certain files may have been acquired without authorization.”
We do not yet know how attackers breached Schmitty and Sons’ network, whether the company paid a ransom, or how much LockBit demanded. Comparitech contacted Schmitty and Sons for comment and will update this article if it responds.
The enrollment deadline for free credit monitoring and ID theft protection is January 29, 2025.
Who is LockBit?
LockBit first appeared in 2019 and has claimed responsibility for thousands of ransomware attacks. In addition to date theft, the Russian cybercrime group’s malware encrypts computer systems so they can’t be used until a ransom is paid for a key to decrypt them.
Comparitech logged 72 confirmed ransomware attacks claimed by LockBit in 2024 so far, affecting more than 8.2 million records. Other recent LockBit targets include Joliet Public Schools District 82 and Fairfield Memorial Hospital Association.
LockBit claimed another 426 attacks in 2024 that haven’t been acknowledged by targets.
Ransomware attacks on US transportation
Ransomware can steal data and lock down computer systems, resulting in downtime and delays for transportation companies like Schmitty and Sons.
Comparitech recorded 10 confirmed ransomware attacks on US transportation companies in 2024 so far, affecting 25,825 records. 2024 is set to see fewer such attacks than 2023, during which we recorded 22 attacks affecting 199,418 records.
In another recent attack on US transportation, Mile Hi Foods notified (PDF) about 500 people of a breach carried out by Play Ransomware.
About Schmitty and Sons
Founded in 1952, Schmitty and Sons owns and operates a fleet of 300 buses including school buses, public transit buses, coaches, and shuttles. The Minnesota-based company employs more than 500 people, according to its LinkedIn profile.
