Indian car-sharing company, Zoomcar Holdings, targeted by threat actors!

by Brad | Jun 19, 2025 | Announcements

Indian car-sharing company, Zoomcar Holdings, targeted by threat actors!

Indian car-sharing company, Zoomcar Holdings, targeted by threat actors!

by Phishing Protection

Last week, Zoomcar Holdings, an Indian car-sharing firm, was targeted by cyberattackers. The company has filed a complaint with the U.S. Securities and Exchange Commission (SEC) regarding the same matter. Zoomcar was founded by two Americans back in 2013. However, the company is currently operated from Bengaluru, India.

With a user base of over 10 million people, Zoomcar operates across 99 cities in India, as well as in Egypt, Vietnam, and Indonesia. Over the last year, the stock price of Zoomcar plummeted by a massive 99%. It also got removed from the Nasdaq Global Markets list in May 2025.

The car-sharing firm has taken immediate measures to limit the extent of the cyber damage. It is working with a third-party cyber incident company to combat the situation. A thorough investigation is going on.

Zoomcar, an Indian peer-to-peer car-sharing firm, enables car owners to list their cars for medium and short-term rentals. The company operates across different nations in Asia. It merged with Innovative International Acquisition Corp (IOAC) in 2023 and became a US-listed public company. Since it is a US-listed company, they were required to disclose the cyber mishap to the SEC.

The cyberattackers have managed to access the data of a staggering 8.4 million users. So far, there has been no evidence of business financial information or users’ plaintext passwords being compromised. Zoomcar became aware of the cyberattack when some of its employees received information about unauthorized access to Company Data.

This is not the first time that Zoomcar has been on the radar of cyberattackers. A similar breach happened back in 2018 as well. Back then, the threat actors managed to break into their system and gained access to the personal data of 9.1 million Zoomcar users.

Experts believe that although this time, threat actors have not gained access to any confidential or financially sensitive information, users still should stay on alert. The data that these cybercrooks have laid their hands on is enough to help them initiate other cyber scams.

For example, these threat actors now have ample data that will enable them to pose as a renter or customer. That’s why Zoomcar customers must now be vigilant enough to avoid any calls, emails, or messages that carry a sense of urgency and require the customers to take swift action regarding car rental expenses.

Cybersecurity situation in South and Southeast Asia

The cyber incident occurred during a period when India and other Southeast Asian countries have implemented stringent policies to safeguard user data. As per the Digital Personal Data Protection (DPDP) Act in India, companies are required to seek consent from users in order to process and use their data. They must also deploy appropriate security systems to secure the information. Besides, it is mandatory to report any incident of data breach to government agencies within the first 6 hours of the cyber incident.

Cases of threat attacks in Southeast Asia are increasing gradually. In one such incident, threat actors successfully hacked into the system of Kuala Lumpur International Airport in Malaysia. This led to unnecessary chaos, confusion, and delays for the passengers. Additionally, the cyberattackers demanded a ransom of US$10 million. Similarly, a China-based threat group has been targeting industrial as well as government entities across nations like Vietnam, the Philippines, and Taiwan.

Rapid digitization is one of the major reasons why South and Southeast Asian countries are facing cyber risks. Geopolitics is yet another reason why this area is vulnerable to attacks. Besides, the lack of digital awareness also plays a crucial role in contributing to rising cases of cyberattacks across South and Southeast Asian nations.

Why is it important to have a swift response time?

Similar to India’s shortened response time, Singapore also follows a 72-hour response policy. In the US, the SEC follows a 4-day reporting policy for cyber incidents. In order to be able to respond at the earliest in case a cyber mishap takes place, companies are required to maintain 24/7 incident responders.

The ultimate goal of this round-the-clock security system will be to monitor all the networks closely and then respond effectively and quickly. Enterprises should also be prepared with proper response plans and practice them on purpose. Everyone should participate, from executives to IT team members.

Experts emphasize that global organizations must maximize the impact of their cybersecurity investments. Spending should be strategic—focused on empowering people, enhancing phishing protection, raising awareness, and strengthening existing security infrastructures.

Every organization’s tech department must regularly assess its capabilities in anticipating risks, ensuring digital resilience, and managing, defending against, and withstanding potential cyberattacks. These evaluations should also test the organization’s preparedness to combat threats like phishing attacks and other sophisticated intrusions.

Join the thousands of organizations that use Phish Protection

Find out how easy and effective it is for your organization today.

60-Day Free Trial

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Others