According to security researcher Eaton Zveare, the exposed data included private customer information, confidential documents, and access credentials to Tata Motors’ cloud systems hosted on Amazon Web Services (AWS).
Headquartered in Mumbai, Tata Motors is a key global player in the automobile industry, manufacturing passenger, commercial, and defense vehicles across 125 countries.
Zveare revealed to TechCrunch that the E-Dukaan website’s source code contained AWS private keys that granted access to internal databases and cloud storage. These vulnerabilities exposed hundreds of thousands of invoices with sensitive customer data, including names, mailing addresses, and Permanent Account Numbers (PANs). Zveare said he avoided downloading large amounts of data “to prevent triggering alarms or causing additional costs for Tata Motors.”
The researcher also uncovered MySQL database backups, Apache Parquet files containing private communications, and administrative credentials that allowed access to over 70 terabytes of data from Tata Motors’ FleetEdge fleet-tracking software. Further investigation revealed backdoor admin access to a Tableau analytics account that stored data on more than 8,000 users, including internal financial and performance reports, dealer scorecards, and dashboard metrics.
Zveare added that the exposed credentials provided full administrative control, allowing anyone with access to modify or download the company’s internal data.
Additionally, the vulnerabilities included API keys connected to Tata Motors’ fleet management system, Azuga, which operates the company’s test drive website. Zveare responsibly reported the flaws to Tata Motors through India’s national cybersecurity agency, CERT-In, in August 2023.
The company acknowledged the findings in October 2023 and stated that it was addressing the AWS-related security loopholes. However, Tata Motors did not specify when all issues were fully resolved.
In response to TechCrunch’s inquiry, Tata Motors confirmed that all reported vulnerabilities were fixed in 2023.
However, the company declined to say whether it notified customers whose personal data was exposed. “We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed,” said Tata Motors communications head, Sudeep Bhalla. “Our infrastructure is regularly audited by leading cybersecurity firms, and we maintain comprehensive access logs to monitor unauthorized activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture.”
The incident reveals the persistent risks of misconfigured cloud systems and exposed credentials in large enterprises. While Tata Motors acted swiftly after the report, cybersecurity experts emphasize that regular audits, strict access controls, and robust encryption are essential to prevent future breaches.
As more automotive companies integrate digital platforms and connected systems into their operations, securing sensitive customer and dealer data remains a top priority.
