Zoomcar hit by massive data breach, exposing personal details of 8.4 million users

Indian car-sharing company Zoomcar Holdings said it recently suffered a significant data security incident that compromised the sensitive personal data of 8.4 million users.

 

Headquartered in Bengaluru, India, Zoomcar is a car-sharing marketplace that allows individuals to rent cars on a short-term basis. In late 2023, it became a U.S. public company through a merger with the SPAC IOAC, and its shares are now traded on Nasdaq (ZCAR).

 

In a filing with the U.S. Securities and Exchange Commission (SEC), Zoomcar said that on June 9, it detected a data security breach in which unauthorised threat actor gained access to its internal network. The company became aware of the incident after employees received external communications from the threat actors claiming to have accessed the company’s data.

 

Zoomcar immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident. As a precaution, the company activated its incident response plan and notified relevant law enforcement authorities about the same.

 

“Based on preliminary findings, the Company determined that an unauthorised third party accessed a limited dataset containing certain personal information of a subset of approximately 8.4 million users, including names, phone numbers, car registration numbers, personal addresses and email addresses associated with such users. 

 

“At this time, there is no evidence that financial information, plaintext passwords, or other sensitive identifiers were compromised,” Zoomcar said.

 

“In response to the incident, the Company has taken immediate actions to contain the threat and enhance its security posture. These measures include implementing additional safeguards across the cloud and internal network, increasing system monitoring, and reviewing access controls,” the company added.

 

Furthermore, Zoomcar said that the incident did not result in any “material disruption to the Company’s operations”, however, it continues to “evaluate the scope and potential impacts of the event, including legal, financial, and reputational considerations, as well as any associated remediation costs.”

 

At the time of publishing, no known hacker group claimed responsibility for the cyber attack on Zoomcar. The car rental company also did not share details on who was behind the attack, how much data was compromised, or whether it has received a ransom demand.