The Indian car-sharing marketplace Zoomcar has disclosed that unauthorized access to its systems led to a significant data breach. This major security incident has reportedly impacted a total of 8.4 million users of the popular peer-to-peer rental service. The incident was first detected on June 9th, after a threat actor directly emailed company employees alerting them of a cyberattack. Although there has been no material disruption to its services, the company’s internal investigation confirmed that sensitive customer data was compromised. Zoomcar is a U.S.-listed public company, and its shares are now traded on the Nasdaq stock exchange, requiring SEC reporting.
The company’s preliminary investigation shows that the following data for 8.4 million customers has now been exposed to an unauthorized party.
This compromised data includes the customers’ full names, their personal phone numbers, their car registration numbers, and also their home addresses. Additionally, the email addresses that were associated with these user accounts have also been unfortunately exposed in this data security breach. However, Zoomcar says that there is no evidence of users’ financial information, plaintext passwords, or other sensitive identifiers being compromised.
The company has also underlined that it is still evaluating the exact scope and the potential impact of this security incident.
Zoomcar took swift action after the incident was discovered, with the help of external cybersecurity experts, to boost its cloud security. The company promptly activated its incident response plan and also notified the relevant authorities about this significant data security breach. They have stated that, to date, the incident has not resulted in any material disruption to the company’s daily business operations. However, the company continues to evaluate the full scope and potential impacts of the event, including all legal and financial considerations. The company has not yet provided any technical details regarding the cyberattack that allowed the unauthorized access to its internal systems.
At this time, the specific type of the attack has not yet been determined, and no known ransomware group has assumed responsibility. This is not the first time Zoomcar has suffered a major data breach that has exposed the personal information of its users. Back in the year 2018, the company suffered another major data breach that exposed the records of more than 3.5 million customers. That breach included names, email and IP addresses, phone numbers, and also their passwords that were stored as bcrypt hashes. That data was eventually offered for sale on an underground marketplace in 2020, exposing Zoomcar customers to many elevated risks.
Reference:
