Low-code, no-code AI is the future. Don’t fall behind.

Download whitepaper

Download our DLP for AI whitepaper

Polymer

Download free DLP for AI whitepaper

Zoomcar data breach impacts 8.4 million users

Jun 19, 2025
Breach Data Privacy

Summary

  • Zoomcar has announced a data breach impacting 8.4 million users.
  • The breach was discovered after a malicious actor contacted employees.
  • The company suffered a similar breach in 2018, uncovered years later via a cybercrime marketplace.
  • Both breaches went undetected internally, highlighting weaknesses in security monitoring.
  • Key lessons: implement proactive detection, strengthen incident response, and continuously improve security defenses.

Zoomcar, the peer-to-peer car-sharing platform that lets users rent vehicles from everyday car owners, has confirmed a major data breach. According to the company, unauthorized actors accessed its systems, compromising the personal data of roughly 8.4 million users.

Here’s everything we know about the breach so far. 

Zoomcar data breach: What we know so far 

Zoomcar says it discovered the breach on June 9, 2025—not through intrusion detection, but after employees started getting messages from a hacker claiming to have stolen company data.

Because Zoomcar is publicly listed in the U.S., it had to report the breach to the Securities and Exchange Commission (SEC). In the official filing, the company confirmed that an unauthorized party accessed a specific set of personal data, including: 

  • Users’ names
  • Phone numbers
  • Car registration numbers
  • Home addresses
  • Email addresses

Zoomcar says there’s no evidence (so far) that financial information, passwords, or sensitive ID numbers were exposed. However, names and contact details linked to real-world car registrations are the perfect basis for targeted phishing scams and identity fraud. 

The attack vector and motive remain unclear. Zoomcar says the investigation is ongoing, and the full scope of the incident has yet to be determined.

History repeats 

This marks Zoomcar’s second major data breach. The company was previously compromised in 2018, when personal data belonging to over 3.5 million users was exposed. But that data breach wasn’t discovered until two years later, when the dataset appeared for sale on a cybercrime market place in 2020. 

Fast forward to now, and Zoomcar appears to be facing the same fundamental issue: a failure to proactively detect and contain a breach. 

In both incidents, the company failed to uncover the compromise on its own. For a platform handling millions of users’ personal information, this points to a concerning issue with its cybersecurity posture. 

Lessons learned 

While it’s currently unknown how the malicious actors managed to breach Zoomcar, there are still several important takeaways from this incident that organizations must bear in mind: 

  • Incident detection must be proactive: Invest in 24/7 runtime security tools that alert security teams to suspicious data interactions (such as exfiltrate a large amount of sensitive data)—better still if they can proactively mitigate these attempts without the need for manual intervention. 
  • Mistakes must be learned from: Should you suffer a security incident, undertaking a thorough incident response process is crucial. Don’t neglect the last step: learning from the incident and making improvements to your security posture. 
  • SEC reporting means visibility: Public companies must be aware that they can no longer hide when a data breach occurs. With the onus on transparency and brand reputation at stake, shoring up your defenses to prevent data breaches (and consequent SEC disclosures) is critical. 

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.