Zoomcar Holdings has confirmed a significant data breach impacting 8.4 million users, revealing unauthorized access to its information systems. The breach was identified on June 9, following a message from a threat actor alerting company employees to the cyberattack.
Despite the breach, Zoomcar stated that there has been no material disruption to its services. However, a preliminary investigation has indicated that sensitive information, including users’ full names, phone numbers, car registration numbers, home addresses, and email addresses, have been compromised. No evidence has been found of financial data or plaintext passwords being exposed.
As a public company registered in Delaware and traded on Nasdaq (ZCAR), Zoomcar is required to report such incidents to the U.S. Securities and Exchange Commission (SEC). In its SEC filing, the company confirmed the breach and noted its ongoing assessment of the incident’s scope and impact. No definitive information has been released regarding the type of cyberattack or any responsible parties.
This is not the first time Zoomcar has faced a data breach. In 2018, a previous incident compromised the data of over 3.5 million customers, raising concerns for user privacy and security, as sensitive data was later offered for sale on an underground marketplace. The company has yet to respond to inquiries regarding the current incident.