Indian car share company Zoomcar said hackers stole the personal information of 8.4 million users in an incident discovered last week. 

The Bengaluru-based company reported the incident to the U.S. Securities Exchange Commission (SEC) on Friday, telling investors that the company initially became aware of the breach on June 9. The hacker contacted employees of the company claiming to have breached systems and stolen data. 

“Based on preliminary findings, the Company determined that an unauthorized third party accessed a limited dataset containing certain personal information of a subset of approximately 8.4 million users,” the company said.

The breach includes names, phone numbers, car registration numbers, addresses and emails. The company is investigating the breach but said there is currently no evidence that financial information or passwords were stolen. 

Additional safeguards have been implemented and a cybersecurity firm has been hired to help with the response. Zoomcar said it does not expect the incident to affect the company’s operation but may lead to reputational and remediation costs. The company did not respond to requests for comment.

Founded in 2013, Zoomcar now operates in 99 cities across India, allowing people to offer their cars for rental to the platform’s more than 10 million users. 

Zoomcar previously had a massive data breach in July 2018 that included the names, IP addresses, passwords and phone numbers of 3.6 million customers. The data was eventually sold on a dark web marketplace in 2020. 

Several of the largest rental car companies in the world have had data breaches caused by cyberattacks over the last 12 months. 

Hertz, which owns its eponymous car rental company as well as top brands like Dollar and Thrifty, reported an incident in April affecting at least 100,000 U.S. residents and Avis dealt with a cyberattack in August 2024 that leaked the information of almost 300,000 people.