An independent security researcher has discovered a database of 9.1 Mn Zoomcar users being sold on the dark web by an anonymous hacker. The database includes sensitive user data like name, email, phone number, IP address and encrypted passwords.
The anonymous hacker claims to have breached the Bengaluru-based mobility startup’s database in 2018 and has now made it available for sale. A database with details of 36 Lakh users is being sold for just $1-$2, whereas the complete database is available for $300 (INR 22K).
Security researcher Rajshekhar Rajaharia told Inc42, “The hackers are working on decrypting the passwords available in this public database and this could result in hacking of user accounts.” He added that the company should instantly inform users about the vulnerability and ask them to change passwords. Even without the passwords, email address and phone numbers of the users are a privacy risk to users.
However, in response to an Inc42 query, a Zoomcar spokesperson said, “Zoomcar has a high privacy bar with strict data protection standards. Our customers’ data is absolutely secure.”
We validated the phone numbers from this screenshot against Zoomcar’s login page, which showed that these numbers and email IDs are indeed registered on the platform. We also verified the validity of this process by entering the phone numbers of friends who are current users of Zoomcar. The database also contains details of Zoomcar founders.
Zoomcar was founded by David Back and Greg Moran in 2012, with presence in more than 45 cities, including Bengaluru, Delhi, Mumbai, Kochi and Pune among others. The company claims to serve over three thousand customers every day and has over 48 lakh subscribers and a fleet of over 6.5K cars.
Till now, Zoomcar has raised around $100 Mn across funding rounds. Its investors include Trifecta Capital, InnoVen Capital, Sequoia Capital, Empire Angels, Mahindra and Mahindra, among others.
According to its filings for FY19, Zoomcar increased its revenue to INR 266 Cr in FY19 from INR 157 Cr in FY18. However, the company’s expenses also almost doubled to INR 468 Cr as compared to INR 274 Cr in FY18. This also spiked Zoomcar’s losses to INR 201 Cr (FY19) from INR 116 Cr in the previous year.
Data Breaches On The Rise In Indian Startups
Other Indian startups including Chqbook, Ixigo, Justdial, have also faced cybersecurity concerns cases in the past year. Most recently, Gurugram-based online school management platform Skolaro exposed data belonging to over 50K students studying in around 100 Indian schools, their parents as well as teachers, after storing its database in unsecured servers
The number of data breaches in India has shot up in the past few years. According to MeitY, India witnessed 3.94 Lakh instances of cybersecurity incidents in 2019. This data was reported to and tracked by the Indian Computer Emergency Response Team (CERT-In).
Further, the MeitY minister has earlier noted in a Lok Sabha session that 49.4K, 50K, 53K, 208K and 394K cybersecurity incidents were reported in the year 2015, 2016, 2017, 2018 and 2019 respectively.
A 2019 joint study by PwC India and Data Security Council of India (DSCI) highlighted that the average cost of a data breach in the country has gone up to INR 11.9 Cr, an increase of 8% from 2017.