Cyber Incident Victim: Zoomcar

On June 9, 2025, Zoomcar filed a Form 8‑K with the SEC indicating that an unauthorized third party accessed a limited dataset containing personal information of approximately 8.4 million users. The company stated that the first event was recorded on June 9 and that it became aware of the data leak after certain employees received external communications from a threat actor alleging a breach. The accessed data included names, phone numbers, car registration numbers, personal addresses, and email addresses associated with the affected users. The filing noted that there was no evidence that financial information, plaintext passwords, or other sensitive identifiers were compromised.

The exposure of names, phone numbers, car registration numbers, addresses, and email addresses for roughly 8.4 million users represents a significant privacy incident, though the absence of financial or credential data reduces the risk of direct monetary fraud or account takeover. The filing noted that there was no evidence that financial information, plaintext passwords, or other sensitive identifiers were compromised. The filing also included forward‑looking statements concerning the incident’s potential impact on the company’s future expectations.

In response, Zoomcar implemented additional safeguards across its cloud and internal network, increased system monitoring, and reviewed access controls. It engaged third‑party cybersecurity experts to assist with the investigation and notified appropriate regulatory and law‑enforcement authorities, cooperating fully with their inquiries. The company also stated that it was taking steps to enhance its overall security posture following the incident.