Breach taxonomy
Summary
On June 9, 2025, Zoomcar Holdings detected unauthorized access to its platform systems, resulting in the exfiltration of personally identifiable information for approximately 8.4 million users. The exposed data included names, email addresses, phone numbers, and other user profile information. The company took steps to contain the breach, notified affected users, and engaged cybersecurity experts and law enforcement.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor → UNKNOWN.
MethodsData Exfil
Unauthorized actor actively accessed and exfiltrated user PII from the company's platform → DATA-EXFIL.
AssetsPersonal Data
Approximately 8.4 million users' personally identifiable information (names, emails, phone numbers) was exfiltrated → PERSONAL-DATA.
EffectsInfo Privacy Loss
Exfiltration of PII for 8.4 million users constitutes a significant information privacy loss → INFO-PRIVACY-LOSS.
Impact
PII of 8.4 million users exfiltrated including contact information; large user count but data sensitivity is moderate (no financial or government IDs confirmed) → score 3.
InsuranceNot disclosed
Filing makes no mention of insurance → null.
Read the original SEC filing excerpt
Item 1.05 Material Cybersecurity Incidents. On June 9, 2025, Zoomcar Holdings, Inc. (the Company) became aware of unauthorized access to certain of its systems. The Company's investigation determined that an unauthorized actor accessed and exfiltrated personally identifiable information of approximately 8.4 million users, including names, email addresses, phone numbers, and other user profile data. The Company took immediate steps to contain the incident, has notified affected users, engaged cybersecurity professionals, and notified law enforcement.