A major data breach at the struggling Indian car-sharing company Zoomcar has potentially exposed the personal information of 8.4 million users. The cybersecurity incident comes at a terrible time for the firm, which was recently delisted from the Nasdaq stock exchange after its shares plummeted by over 99%. The company confirmed the breach in a filing with the U.S. Securities and Exchange Commission.
A Vicious Cycle of Financial and Security Failures
Zoomcar is facing a perfect storm of problems. The company, once a promising startup in India’s urban mobility space, is now in deep financial trouble. Last month, it was kicked off the Nasdaq for failing to meet listing requirements, a direct result of its stock value collapsing.
This isn’t the first time Zoomcar has failed to protect its users. A similar incident in 2018 saw the data of over 9 million users reportedly sold on the dark web. This history of security lapses makes the latest breach even more damaging to its reputation.
The company stated it learned of the current breach only after employees received messages from the hacker. For a company trying to regain trust, this is a disastrous look.
What Hacker’s Can Do with Your Stolen Information
Zoomcar has tried to reassure users by stating that no financial data or plaintext passwords were compromised. However, cybersecurity experts warn that the stolen information, which includes names, phone numbers, and home addresses, is still very valuable to criminals.
Thomas Richards, a cybersecurity director, explains that this type of data is perfect for social engineering attacks. Scammers can use it to appear more credible and trick people into giving up more sensitive information.
Here’s how they can use your data:
- Phone numbers are used for targeted phishing text messages (smishing) or fraudulent support calls.
- Home addresses can make scam emails or letters seem official and legitimate.
- Names linked to a car rental service provide a ready-made story for scammers pretending to be from Zoomcar.
A Wider Wave of Cybercrime Across Asia
The Zoomcar incident is not happening in isolation. It is part of a growing trend of cyberattacks targeting organizations across South and Southeast Asia. The region’s rapid digitalization has created more opportunities for cybercriminals.
From critical infrastructure to government agencies, no sector seems safe. State-backed groups and organized crime syndicates are increasingly active, causing significant disruption.
Agnidipta Sarkar from the cybersecurity firm ColorTokens notes that as countries like Thailand and Vietnam invest heavily in digital infrastructure, they also create more targets for attackers.
| Country | Incident | Impact |
|---|---|---|
| India | Hospitals in New Delhi hacked | Patient care disrupted |
| Malaysia | Kuala Lumpur Airport systems compromised | Flight delays, $10M ransom demand |
| Philippines | Government networks targeted by China-linked group | Sensitive systems accessed |
India’s New Data Law Adds to the Pressure
Zoomcar’s handling of the breach is being watched closely due to India’s new Digital Personal Data Protection (DPDP) Act of 2023. The law imposes very strict rules on companies that handle personal data.
Under the DPDP Act, companies must report data breaches to the government within six hours of discovery. This is one of the shortest reporting deadlines in the world, far stricter than Singapore’s 72 hours or the four business days mandated by the U.S. SEC for significant incidents.
It remains unclear if Zoomcar met this tight deadline. Any failure to comply could lead to severe penalties, adding legal trouble to their existing financial and reputational woes.
