Tata Motors confirms it fixed security flaws, which exposed company and customer data

Tata Motors, the prominent Indian automotive manufacturer, has successfully remedied a series of critical security vulnerabilities that previously compromised sensitive internal and customer data. These flaws were identified by security researcher Eaton Zveare, who reported them to TechCrunch, revealing significant risks associated with Tata Motors’ E-Dukaan platform, which facilitates online purchases of spare parts for its commercial vehicles. Based in Mumbai, Tata Motors operates across 125 countries and is involved in producing a diverse range of vehicles including passenger cars, commercial trucks, and defense models. Zveare discovered that the web source code of the E-Dukaan portal contained private keys granting access to modify and retrieve data from Tata Motors’ Amazon Web Services (AWS) account. This breach exposed a staggering quantity of sensitive information, including hundreds of thousands of invoices detailing customer names, addresses, and unique identifiers like the Permanent Account Number (PAN) issued by the Indian government. In his blog post, Zveare emphasized that he refrained from downloading large amounts of data, aiming to avoid unnecessary alarms or potential consequences for Tata Motors. However, he noted the presence of MySQL database backups and Apache Parquet files, which harbored additional private customer information and communications. The AWS keys also provided access to more than 70 terabytes of data associated with Tata Motors’ FleetEdge fleet-tracking software. Moreover, Zveare uncovered backdoor admin access to a Tableau account containing data for over 8,000 users, which included sensitive internal documents like financial reports, performance metrics, dealer scorecards, and various dashboards. The compromised data even granted API access to Tata Motors’ fleet management platform, Azuga, which is integral to the company’s test drive services. Following the discovery of these vulnerabilities, Zveare promptly reported the issues to Tata Motors via the Indian Computer Emergency Response Team (CERT-In) in August 2023. By October 2023, Tata Motors communicated to Zveare that it was addressing the AWS-related concerns after securing the initial security gaps, although the company did not disclose the timeline for the complete resolution of these issues. In a statement to TechCrunch, Tata Motors confirmed that all reported vulnerabilities had been thoroughly investigated and resolved within 2023. However, it did not clarify whether affected customers had been notified about the potential exposure of their information. "We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed," stated Sudeep Bhalla, head of communications at Tata Motors. He added that the company routinely conducts audits with leading cybersecurity firms and maintains detailed access logs to monitor for unauthorized activities. Tata Motors also collaborates actively with industry experts and security researchers to enhance its security measures and mitigate risks promptly.