Zoomcar, the Nasdaq-listed car rental company headquartered in Bengaluru, has confirmed a major data breach that exposed personal information of about 8.4 million users. The breach was detected on June 9, 2025, when a threat actor contacted the company claiming to have gained unauthorized access to its internal systems. Zoomcar Holdings disclosed the incident in a regulatory filing (Form 8-K dated June 13) with the US Securities and Exchange Commission (SEC).
The company claims that it launched an immediate investigation and has since verified that user data, including names, phone numbers, email addresses, home addresses, and vehicle registration details, was compromised. However, the company has stated that no financial information, unencrypted passwords, or government-issued identification documents appear to have been accessed during the breach.
Despite the breach, the company noted that its core business operations remain unaffected. However, the firm admitted that it is continuing to assess the potential impact, including financial liabilities, legal exposure, and reputational damage.
Additionally, in response to the breach, the company claimed it had implemented a series of remedial measures. According to the filing, these measures included strengthening access controls, enhancing cloud and network monitoring, and engaging external cybersecurity experts to support the ongoing investigation.
Zoomcar (founded in 2013) also said that it has notified relevant law enforcement agencies and regulatory authorities in both the United States and India. But as of now, the firm has not disclosed whether affected users will be directly notified or offered credit monitoring services. The company is expected to share further updates as the investigation progresses. In the meantime, users of the platform are advised to stay cautious, especially against phishing attempts or unexpected messages that could misuse their exposed information.
This is not the first time Zoomcar has faced a data breach. In 2018, the company reportedly suffered a major security incident that exposed the personal data of around 3.5 million users. In that incident, the compromised information included names, email addresses, phone numbers, IP addresses, and passwords hashed with bcrypt. Even the data later appeared for sale on dark-web forums.
Cyberattacks and data breaches have emerged as a serious and growing concern in India, affecting several prominent companies across different sectors. In July 2024, cryptocurrency exchange WazirX reported a breach that resulted in the theft of about $235 million in digital assets. The attack exploited vulnerabilities in a multi-signature wallet, allowing hackers to bypass internal security controls. Recently (in May 2025), Coinbase confirmed a prolonged data breach tied to its India operations, revealing that the personal data of over 69,000 customers had been compromised over several months. Earlier in 2024, boAt faced a breach impacting 7.5 million users.
