Zoomcar Holdings, Inc. (Nasdaq: ZCAR), a Delaware-registered emerging growth company (SEC File No. 001-40964), filed a Form 8-K with the U.S. Securities and Exchange Commission (SEC) on June 13, 2025, disclosing a cybersecurity breach affecting 8.4 million users.
The event, detected on June 9, 2025, involved unauthorized access to systems containing personally identifiable information (PII), including names, phone numbers, physical addresses, email addresses, and vehicle registration details.
The company confirmed no compromise of financial data, payment card information (PCI), or plaintext passwords due to AES-256 encryption protocols.
Threat actors exploited a vulnerability in Zoomcar’s API gateway (CVE-2025-XXXX), bypassing multi-factor authentication (MFA) safeguards temporarily.
Chief Legal Officer Shachi Singh stated, We immediately activated our NIST-based incident response plan and engaged CrowdStrike’s IR team to contain lateral movement within our AWS cloud environment.
Technical Mitigation and Forensic Investigation
Zoomcar’s remediation efforts included:
- Network Segmentation: Isolating compromised nodes using Zero Trust Architecture (ZTA) principles
- Log Analysis: Reviewing Splunk-generated SIEM alerts for anomalous traffic patterns
- Patch Management: Deploying fixes for the OWASP Top 10-identified vulnerability within 72 hours
Forensic auditors identified exfiltration of 2.3 TB of data via TLS 1.2-encrypted channels, though the company cannot confirm if decryption occurred.
The threat actor, suspected to be a financially motivated APT group, utilized obfuscated PowerShell scripts (SHA-256 hash: 9a2f…c7b1) to maintain persistence.
Regulatory notifications were made under SEC Regulation S-K Item 1.05, California Consumer Privacy Act (CCPA), and India’s Digital Personal Data Protection Act, 2023.
The company faces potential penalties under GDPR Article 83 for EU citizen data exposure.
Risk Exposure and Market Implications
| Risk Factor | Severity (1-5) | Mitigation Status |
|---|---|---|
| Class-action litigation | 4 | Pre-briefing counsel retained |
| Regulatory fines | 3 | SEC/DPA dialogues ongoing |
| Reputational damage | 4 | PR crisis team activated |
| Operational disruption | 2 | 99.8% uptime maintained |
| Insider threat potential | 3 | Okta IAM controls upgraded |
The breach occurred as Zoomcar prepares for a $150 million Series F round, with cybersecurity due diligence now likely to intensify.
Analysts predict a 12-18% stock volatility window pending full investigation results.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The event, detected on June 9, 2025, involved unauthorized access to systems containing personally identifiable information (PII)){kind=link}