The Bengaluru-based company told the US Securities and Exchange Commission that the first event was recorded on June 9. The company became aware of the data leak after “certain employees received external communications from a threat actor alleging unauthorised access to company data”, the filing noted.
Zoomcar said it activated its incident response plan upon discovering the breach. It said it implemented additional safeguards across the cloud and internal network, increased system monitoring, and reviewed access controls.
Zoomcar is also engaging with third-party cybersecurity experts to further assist with the investigation. The company has also notified the appropriate regulatory and law enforcement authorities and is cooperating fully with their inquiries, the filing read.
The data leak has not resulted in any material disruption to operations, Zoomcar said. However, the company said it is continuously evaluating the scope and potential impacts of the event, including legal, financial, and reputational considerations, as well as any associated remediation costs.
