A fresh cybersecurity scare has rattled India’s struggling car-sharing firm Zoomcar, just weeks after it was delisted from Nasdaq. The company confirmed that personal data of around 8.4 million users may have been accessed by hackers.
It’s yet another blow to a firm already on life support. And it’s unfolding as cyberattacks intensify across South and Southeast Asia.
8.4 Million Users Potentially Exposed in Major Breach
Zoomcar disclosed the breach last week in a filing with the U.S. Securities and Exchange Commission (SEC), stating that an “unauthorized third party” gained access to user records. While the company claims no financial data or plaintext passwords were stolen, phone numbers and home addresses were likely exposed.
In a rather bland disclosure, the company said it became aware of the breach only after employees received strange messages from someone claiming to have accessed company data.
This isn’t Zoomcar’s first run-in with hackers. Back in 2018, personal data from over 9 million users reportedly ended up for sale on the dark web. That’s a hard history to ignore.
And this time, the timing couldn’t be worse.
Nasdaq Boot, 99% Stock Plunge — Zoomcar’s Turbulent Year
Once riding high on the promise of millennial car-sharing in India’s urban chaos, Zoomcar is now knee-deep in financial ruin.
Its shares have lost more than 99% of their value in the past year. Nasdaq kicked the company off its Global Market exchange just last month for failing to meet listing requirements.
That’s brutal.
Founded by two Americans in Bengaluru, Zoomcar had built a user base of 10 million people across nearly 100 cities in India. But profitability? Nowhere in sight.
Zoomcar’s statement claimed the breach didn’t compromise financial information, but the optics of this incident are disastrous for a company already circling the drain.
What the Hackers Might Do With Your Info
Even if credit card details weren’t leaked, don’t breathe easy just yet.
Thomas Richards, a cybersecurity director at Black Duck, warns that exposed phone numbers and addresses can still fuel social engineering scams.
“These attackers don’t need your bank details to cause damage,” he said. “They can pretend to be customer support, fake billing agents — anything to trick users into giving away more.”
And that’s really the danger here. Pretext is everything for these scammers.
-
Phone numbers can be used for phishing texts or fake support calls
-
Home addresses help make scam emails seem more legit
-
Names tied to car rental accounts offer ready-made cover stories
This is low-hanging fruit for social engineers.
Zoomcar Isn’t Alone — Asia Faces a Rising Cybercrime Wave
Zoomcar’s breach is just one part of a much darker picture forming in Southeast Asia.
From hospitals in New Delhi to airports in Malaysia, critical systems are being breached by organized cybercriminals — and sometimes, by state-backed actors.
Here’s just a glimpse of what’s been happening:
| Country | Incident | Impact |
|---|---|---|
| India | Hospitals in New Delhi hacked | Patient care disrupted |
| Malaysia | Kuala Lumpur Airport systems compromised | Flight delays, $10M ransom demand |
| Philippines | Government networks targeted by China-linked group “Billbug” | Sensitive systems accessed |
| Taiwan, Vietnam | Similar attacks suspected by same state-linked threat actor | Ongoing surveillance and exploitation risks |
Agnidipta Sarkar, a senior exec at cybersecurity firm ColorTokens, said the region’s fast-paced digital adoption is a double-edged sword.
“Thailand, Vietnam, Singapore — they’re investing in digital infrastructure fast,” he said. “But that also means more targets and more vulnerabilities.”
India’s Data Law Leaves No Wiggle Room
Zoomcar’s breach is also being closely watched because of India’s 2023 Digital Personal Data Protection (DPDP) Act.
Under the law, companies are required to:
-
Get explicit user consent to use their personal data
-
Implement strict security safeguards
-
Report data breaches to the Indian government within six hours
That six-hour window is one of the shortest in the world. By contrast, Singapore allows 72 hours, and the U.S. SEC mandates four business days for material breaches.
If Zoomcar didn’t report this incident to CERT.in — India’s cyber watchdog — within the required time, they could be facing even more trouble.
Zoomcar hasn’t confirmed the exact timestamp of their internal discovery vs. disclosure, but pressure is mounting to find out.
Global Security Spend Hits $210B — But Is It Working?
Here’s the thing: worldwide cybersecurity spending is through the roof, yet breaches keep happening.
Gartner estimates that global information security investment will surpass $210 billion in 2025 — up 15% from last year.
But where’s that money going?
“Spending is high, sure, but resilience isn’t,” said Sarkar. “Companies don’t measure how well they can detect, contain, or bounce back from attacks.”
That disconnect is troubling.
Cyber experts argue that organizations — especially those handling consumer data — need 24/7 monitoring, not 9-to-5 fire drills.
Tim Rawlins from NCC Group agrees. “Detection delays cost companies millions. You need a 24/7 Security Operations Center, incident playbooks, executive awareness — the whole thing.”
Zoomcar’s response has included hiring a third-party security firm to investigate, but the fact that the breach was first flagged by a threat actor reaching out is, frankly, not a great look.
What Happens Next?
Zoomcar’s statement tries to reassure users that “no sensitive identifiers” were breached. But let’s be real — for a platform that stores renters’ location, contact, and behavior data, that bar feels awfully low.
Zoomcar might weather the cyberstorm, but reputational damage is hard to shake. For a company that’s already fallen off Nasdaq and is bleeding user trust, this data breach could be the final nail or just another bump on a very bumpy road.
