Indian automotive giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data. The compromised information included personal details of customers, company reports, and data related to its dealers.
Security researcher Eaton Zveare discovered the flaws in Tata Motors’ E-Dukaan unit, an e-commerce portal for buying spare parts for Tata-made commercial vehicles. Headquartered in Mumbai, Tata Motors produces passenger cars, commercial vehicles, and defense vehicles. The company has a presence in 125 countries worldwide and operates seven assembly facilities.
Zveare found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ account on Amazon Web Services. The exposed data included hundreds of thousands of invoices containing customer information, such as names, mailing addresses, and permanent account numbers. A permanent account number is a ten-character unique identifier issued by the Indian government.
Out of respect for not causing alarm or a massive data transfer bill for Tata Motors, the researcher stated there were no attempts to exfiltrate large amounts of data or download excessively large files. The researcher also noted the presence of MySQL database backups and Apache Parquet files that contained various bits of private customer information and communication.
The AWS keys also enabled access to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software. Zveare additionally found backdoor admin access to a Tableau account, which included data of over 8,000 users. As a server admin, one had access to internal financial reports, performance reports, dealer scorecards, and various dashboards.
The exposed data also included API access to Tata Motors’ fleet management platform, Azuga, which powers the company’s test drive website. Shortly after discovering the issues, Zveare reported them to Tata Motors through the Indian computer emergency response team, known as CERT-In, in August 2023. Later in October 2023, Tata Motors told Zveare it was working on fixing the AWS issues after securing the initial loopholes. The company did not specify when the issues were fixed.
Tata Motors confirmed to TechCrunch that all the reported flaws were fixed in 2023, but would not say if it notified affected customers that their information was exposed. A company communications head stated that the reported flaws and vulnerabilities were thoroughly reviewed following their identification and were promptly and fully addressed. He added that their infrastructure is regularly audited by leading cybersecurity firms and that they maintain comprehensive access logs to monitor for unauthorized activity. The company also actively collaborates with industry experts and security researchers to strengthen its security posture.