Zoomcar, India’s leading car-sharing platform, has confirmed a major data breach affecting 8.4 million users. Discovered on June 9, 2025, the breach came to light when a threat actor contacted Zoomcar employees, claiming unauthorized access to customer data. According to the company’s mandatory disclosure filed with the U.S. SEC, the compromised data includes user names, phone numbers, and vehicle registration details. Crucially, no financial information, plain-text passwords, or sensitive identifiers were accessed.
Although operations remained unaffected, Zoomcar activated its incident response protocol immediately and is working with internal and external cybersecurity experts to contain the threat. The company has notified law enforcement and regulatory agencies, and an investigation is underway. The hacker’s identity and the extent of potential misuse remain undetermined.
In response, Zoomcar has rolled out several cybersecurity upgrades, including stronger cloud and network protections, enhanced real-time monitoring, and a full audit of access controls. External cybersecurity firms have also been engaged for a forensic review.
This breach comes as Zoomcar continues to scale aggressively across global markets. Operating in 99 cities across India, Egypt, Indonesia, and Vietnam, the company now manages a fleet of over 25,000 vehicles and serves over 10 million registered users. Despite the breach, Zoomcar posted impressive growth figures in February 2025, including a 19% year-on-year rise in rentals (103,599 bookings) and a 500% increase in contribution profit to $1.28 million (₹10.69 crore). However, it also reported a net loss of $7.9 million (₹65.97 crore), reflecting continued expansion efforts.
Company executives remain optimistic, emphasizing that the breach, while serious, is unlikely to impact long-term growth or user trust, thanks to the swift response and ongoing security enhancements.
