Skip to content

Zoomcar suffers data breach affecting 8.4 million users

  • by
  • 2 min read

Indian car-sharing and rental company Zoomcar has allegedly suffered a data breach affecting 8.4 million users across the country. The company is currently investigating the incident and claims the threat actors reached out to employees claiming a system compromise.

Zoomcar claims there’s no evidence that financial information, plaintext passwords, or other “sensitive identifiers” were stolen in the attack in its filing with the US Securities and Exchange Commission (SEC). That said, hackers were able to get away with a “limited dataset” containing personal information of approximately 8.4 million users. This information includes:

  • Names
  • Phone numbers
  • Car registration numbers
  • Physical and email addresses

Daily operations remain unaffected by the breach, and Zoomcar has informed the relevant law enforcement authorities of the breach. The company also claims it has contained the incident and is implementing additional safeguards across its internal and cloud networks. External cybersecurity experts have also been called in to help with the ongoing investigation.

This is an image of data breach featured cybersecurity 113 e1666861228304

While technical details on the attack weren’t shared in the SEC filing, as is usually the case, the incident bears all the hallmarks of a ransomware attack. The fact that Zoomcar was alerted of the incident by the threat actors themselves is also an alarming detail and suggests that threat actors reached out to potentially negotiate a ransomware payment.

As Zoomcar investigates the incident, it claims it’s evaluating any associated remediation costs. However, it hasn’t announced anything concrete for affected customers at the time of writing. It’s also unclear whether Zoomcar has, or plans to, notify affected customers.

This isn’t the first major security breach Zoomcar has suffered, either. In July 2018, the company suffered a similar attack, leaking personal details of 3.6 million customers. The stolen information included names, phone numbers, IP addresses, and passwords. Data from this breach was also found for sale on popular hacking forums in 2020.

In the News: UK privacy watchdog orders smart device to stop invading user privacy

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of smart home iot internet of things 329ufsd

UK privacy watchdog orders smart device to stop invading user privacy

Illustration: jmiks | shutterstock

Anubis ransomware adds novel file wiping capabilities

This is an image of dark web dark net deep web 1

Police seize underground drug marketplace with over 600,000 users

Illustration: jmiks | shutterstock

SimpleHelp flaw lets ransomware hit utility billing software customers, CISA warns

This is an image of dark web hacker security

Graphite spyware found targeting European journalists

This is an image of eufy camera featued

Over 40,000 security cameras found accessible via internet

>