- Zoomcar filed a new 8-K form with the SEC confirming cyberattack
- It found out about the attack from the threat actors
- Over 8 million users could have had their personal data stolen
Car sharing marketplace Zoomcar has suffered a cyberattack in which it lost sensitive information on millions of customers.
In a new 8-K form filed with the US Securities and Exchange Commission (SEC), the company said it was made aware of the attack on June 9, 2025, and a subsequent investigation determined the threat actors managed to steal, “a limited dataset containing certain personal information of a subset of approximately 8.4 million users”.
That includes people’s names, phone numbers, car registration numbers, postal addresses, and email addresses – but at this time, Zoomcar says it has no reason to believe financial information, passwords, or other sensitive identifiers were compromised.
No disruption
Responding to the attack, the company activated its incident response plan, and took “immediate action” to contain the threat.
This was apparently too little too late, though, as the company was actually made aware of the incident by the threat actors themselves.
Zoomcar said they hackers reached out to “certain employees” claiming to have made the breach, suggesting they dwelled on the systems long enough to exfiltrate whatever information they sought.
It wasn’t explained why the attackers reached out to their victims, but it’s safe to assume they demanded payment in exchange for deleting the stolen files. T
he wording of the 8-K filing suggests Zoomcar did not pay any ransom. Instead, it implemented “additional safeguards” across the cloud and internal network, increased system monitoring, and reviewed access controls.
Furthermore, it brought in a third-party cybersecurity expert for further assistance, and notified regulators and the police about the incident.
“To date, the incident has not resulted in any material disruption to the company’s operations,” Zoomcar concluded.
However, the company continues to evaluate the scope and potential impacts of the event, including legal, financial, and reputational considerations, as well as any associated remediation costs.
Via TechCrunch
