top of page

Zoomcar Breach Exposes Data of 8.4 Million Users

  • Writer: Cytopus
    Cytopus
  • 2 days ago
  • 3 min read

Zoomcar has confirmed that personal data belonging to 8.4 million users was compromised following unauthorized access to its systems. The company, now listed on Nasdaq, faces scrutiny not only under U.S. disclosure laws but also from global privacy regulators, given the scale and nature of the data involved.


Incident Overview

Zoomcar Holdings, a leading Indian peer-to-peer car-sharing platform, has disclosed a major data breach affecting approximately 8.4 million users. The incident was identified on June 9, 2025, after employees received emails from a threat actor claiming to have gained unauthorized access to company systems. An internal investigation has since confirmed that sensitive user data was indeed exposed. The compromised information includes users' full names, phone numbers, home addresses, car registration numbers, and email addresses. Although Zoomcar has stated that no financial information, plaintext passwords, or data that would directly identify individuals have been leaked, the scale and nature of the exposed data still pose significant risks to those affected. As of now, the company has not linked the breach to any specific threat actor or ransomware group, and there has been no public claim of responsibility for the incident.


Repeat Breach Raises Concerns

This incident marks the second major cybersecurity event for Zoomcar. The company previously experienced a breach in 2018 that exposed data for 3.5 million customers, including names, email addresses, phone numbers, and password hashes. That dataset was later sold on underground forums in 2020, placing affected individuals at increased risk of fraud, phishing, and identity theft. The recurrence of such incidents raises questions about the maturity of Zoomcar’s security posture and its long-term data governance strategy.


Potential Financial Impact

Zoomcar has confirmed that its services remain operational, but the financial repercussions of the breach could be significant. Costs for forensic investigations, incident response, and system enhancements may exceed seven figures, while even minor operational downtime can impact user trust. The exposure of personally identifiable information (PII) makes the company vulnerable to lawsuits, especially in jurisdictions with strict data protection laws.


Regulator and Compliance Implications

Zoomcar is facing significant regulatory challenges across multiple jurisdictions. In the EU, the GDPR applies if European users are affected, potentially resulting in fines of up to €20 million or 4% of annual global turnover. The NIS2 Directive also requires strong security measures and breach notifications, with fines reaching €10 million or 2% of global turnover for violations. In India, the Digital Personal Data Protection Act (DPDPA) imposes similar obligations, including mandatory breach disclosures and data minimization.


How Cytopus Can Help Your Business

As this breach demonstrates, digital service providers are facing increasing expectations regarding cyber resilience and data protection. Cytopus delivers specialized cybersecurity solutions to meet the sector’s unique threat landscape:

  • Continuous Vulnerability Management: Our platform performs real-time scans to detect and remediate vulnerabilities across your enterprise environment, before they can be exploited.

  • Security Compliance and Risk Assessment: We help organizations align their security posture with leading frameworks, including GDPR, CRA, DORA, and NIS2, thereby minimizing regulatory exposure.

  • Threat Intelligence and Threat Detection: Leveraging AI-driven analysis, Cytopus ingests global threat feeds to detect exploitation attempts against zero-days and critical flaws.

  • Continuous Monitoring and Incident Response: Cytopus provides 24/7 security operations, combining automated detection with expert-led incident response to swiftly contain and address breaches.

  • Business Continuity and Disaster Recovery Planning: We help develop and validate disaster recovery and business continuity plans to ensure minimal disruption in the event of security incidents


bottom of page