Whoosh

Whoosh operates a scooter-sharing service headquartered in Russia, providing short-term rental of electric scooters for urban mobility. The company's core business model involves a fleet of vehicles accessible via a digital platform, allowing customers to locate, unlock, and pay for rides through a mobile application. A significant data breach disclosed in November 2022 provides the primary public insight into the organization's scale, with the incident affecting records of 7.2 million users. This figure indicates a substantial customer base, as the compromised data included email addresses, phone numbers, and first names. The breach also involved partial payment card details for 1.9 million individuals and 3 million promotional codes for free rentals, highlighting the volume of transactional and promotional data the service manages. The nature of the stolen information underscores that Whoosh handles a wide array of personal and financial data as part of its standard operations, positioning it within the broader urban tech and micro-mobility sector where data security is a critical operational component.

The 2022 incident is a defining event in the company's recent history, detailing a cybersecurity failure with extensive customer impact. Hackers exfiltrated a comprehensive user database and attempted to sell it for $4,200 per buyer on a hacking forum and via Telegram, explicitly linking the theft to a prior system intrusion. Whoosh's initial public statement claimed the cyberattack had been thwarted, but the company later acknowledged the data leak while maintaining that sensitive account access credentials, full transaction histories, and complete payment information remained secure and were not part of the stolen dataset. This distinction between partial and full data compromise formed a key part of their public assessment of the breach's severity. In response, Whoosh initiated collaboration with law enforcement agencies to investigate the incident and to prevent the further dissemination of the stolen records. The breach exposed millions of users to potential phishing and fraud risks due to the leakage of contact information and partial payment details, while the compromise of promotional codes represented a direct financial liability through unauthorized ride credits. The event illustrates the cybersecurity challenges faced by consumer-facing tech platforms in Russia, particularly those managing large-scale user databases and payment-adjacent systems.