Indian automaker Tata Motors has resolved several security issues that exposed sensitive company and customer data online.
The flaws were discovered in Tata Motors’ E-Dukaan portal, an online platform used to buy spare parts for Tata’s commercial vehicles. The issue came to light after security researcher Eaton Zveare reported his findings to the company.
Zveare told TechCrunch that he found the portal’s web source code contained private keys giving access to Tata Motors’ Amazon Web Services account. This access could have allowed unauthorized users to view and modify internal company data. The exposed information reportedly included hundreds of thousands of invoices with customer details such as names, mailing addresses, and permanent account numbers (PAN), which are unique identifiers issued by the Indian government.
The researcher also discovered MySQL database backups and Apache Parquet files that contained additional customer information and internal communication data. In total, the exposed data included over 70 terabytes related to Tata Motors’ FleetEdge fleet-tracking system, along with administrative access to a Tableau account holding data of more than 8,000 users.
According to Zveare, the AWS keys also provided access to financial and performance reports, dealer scorecards, and other confidential business information. He mentioned that he avoided downloading large amounts of data to prevent any disruption or unnecessary attention to Tata Motors’ systems.
The exposed data also gave access to Tata Motors’ fleet management platform, Azuga, which is used for test drive tracking. Zveare reported the security flaws to Tata Motors through India’s Computer Emergency Response Team (CERT-In) in August 2023. By October of that year, the company confirmed it was addressing the AWS-related vulnerabilities.
Tata Motors later told TechCrunch that all reported issues were fixed in 2023. However, the company did not clarify whether affected customers were notified about the exposure. Sudeep Bhalla, head of corporate communications at Tata Motors, said that the vulnerabilities were promptly reviewed and resolved.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
He added that Tata Motors regularly conducts cybersecurity audits with leading firms and keeps detailed access logs to detect unauthorized activity. The company also collaborates with cybersecurity experts and researchers to strengthen its systems and ensure quick action against potential risks.
