Tata Motors has resolved a series of significant security vulnerabilities that exposed sensitive internal and customer information, including personal data, confidential company reports, and dealer-related details. The flaws were discovered in Tata Motors’ E-Dukaan platform, an e-commerce portal used for purchasing spare parts for the company’s commercial vehicles.
Security researcher Eaton Zveare, who first identified the issue, told TechCrunch that the vulnerabilities allowed potential access to Tata Motors’ internal systems through exposed credentials in the platform’s source code. According to Zveare, the web source code contained private keys granting access to Tata Motors’ Amazon Web Services (AWS) account, enabling anyone with that information to view or alter data within the company’s systems.
Zveare said the exposed information included hundreds of thousands of invoices containing customer names, mailing addresses, and Permanent Account Numbers (PAN) — the unique tax identifier issued by the Indian government. He also noted the discovery of MySQL database backups and Apache Parquet files containing additional private customer data and communications.
“Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data or download excessively large files,” Zveare told TechCrunch.
Further investigation revealed that the exposed AWS keys provided access to over 70 terabytes of data linked to Tata Motors’ FleetEdge fleet-tracking platform. Zveare also identified backdoor administrator access to a Tableau account containing internal reports and dashboards from over 8,000 users. “As server admin, you had access to all of it. This primarily includes things like internal financial reports, performance reports, dealer scorecards, and various dashboards,” the researcher said.
Additionally, the exposed data included API access to Tata Motors’ fleet management platform, Azuga, which powers its test drive website.
Zveare reported the vulnerabilities to CERT-In, India’s national cybersecurity agency, in August 2023, and Tata Motors later confirmed that all reported flaws were fixed in 2023. “We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed,” said Sudeep Bhalla, Head of Communications at Tata Motors.
Bhalla added that Tata Motors’ systems are regularly audited by top cybersecurity firms and that the company continues to collaborate with security experts to enhance its cybersecurity posture and prevent future risks.
