Zoomcar Discloses Major Data Breach After Threat Actor Contacts Employees
Zoomcar Holdings Inc. has confirmed a significant cybersecurity incident involving the unauthorized access of user data belonging to 8.4 million customers. The breach was detected on June 9, after company employees received direct emails from a threat actor claiming to have infiltrated Zoomcar’s systems.
While the company stated there has been no material disruption to its services, an internal investigation revealed that a substantial volume of user data was indeed accessed by an unauthorized party.
Based in India, Zoomcar operates as a peer-to-peer car-sharing platform across emerging Asian markets, connecting vehicle owners with renters for short and medium-term leasing. The firm went public on NASDAQ (ZCAR) in late 2023, after a merger with U.S.-based blank-check firm Innovative International Acquisition Corp (IOAC).
Data Exposed: Personal Information Compromised
According to the company’s preliminary findings, the compromised data includes:
- Full names
- Phone numbers
- Car registration numbers
- Home addresses
- Email addresses
Importantly, Zoomcar emphasized that there is no evidence suggesting the breach included financial data, plaintext passwords, or other identifiers that could immediately lead to identity theft.
However, the exposed combination of contact and vehicle details significantly increases the risk of phishing attacks, targeted scams, and identity correlation—especially when matched with data from prior breaches.
Repeat Offense Raises Alarm
This is not the first time Zoomcar has been targeted. In 2018, the company suffered a breach affecting 3.5 million customers. The stolen data—including hashed passwords—resurfaced on underground forums in 2020, raising concerns that threat actors may once again attempt to monetize user records.
Given its public company status and U.S. listing, Zoomcar is now required to report such cybersecurity events to the U.S. Securities and Exchange Commission (SEC), under SOX and cybersecurity compliance mandates.
Attack Method Unclear; No Group Has Claimed Responsibility
The specific method of attack remains undetermined, and no ransomware group or threat actor has claimed responsibility so far. Zoomcar has not responded to follow-up queries from media outlets regarding the nature of the intrusion or mitigation measures.
The company notes that its investigation is ongoing and that it is continuing to assess the full scope and impact of the incident.
Risk Mitigation and Cyber Resilience in the Mobility Sector
Mobility platforms such as Zoomcar are increasingly targeted by data-centric attacks due to the combination of identity, location, and vehicle data they manage. These incidents highlight the urgent need for organizations to implement zero-trust architectures, data minimization, and immutable backup solutions to preserve business continuity.
If your platform deals with sensitive consumer data, now is the time to invest in robust defense layers.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
