Indian auto giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data, including customer personal information, company reports and data related to its dealerships.
Security researcher Eaton Zveare told TechCrunch that he discovered the flaws in Tata Motors’ software. E-Dukean unit, an e-commerce portal for purchasing spare parts for Tata commercial vehicles. Tata Motors, headquartered in Mumbai, produces passenger cars, as well as commercial and defense vehicles. The company has a presence in 125 countries worldwide and seven assembly facilities, according to the website.
Zveare said he discovered that the portal’s web source code contained the private keys to access and modify data within Tata Motors’ account on Amazon Web Services, the researcher said in a blog post.
The disclosed data, Zveare told TechCrunch, includes hundreds of thousands of invoices containing customer information such as their name, mailing address and permanent account number, or PAN, a unique 10-character identifier issued by the Indian government.
“Out of respect for the fact that no alarm bells or huge outbound bill were raised at Tata Motors, no attempts were made to exfiltrate large amounts of data or download excessively large files,” the researcher told TechCrunch.
There were also MySQL database backups and Apache Parquet files that contained various pieces of private customer information and communications, the researcher noted.
The AWS keys also enabled access to more than 70 terabytes of data related to Tata Motors’ data. FleetEdge fleet tracking software. Zveare also found backdoor administrative access to a Tableau account, which contained data from more than 8,000 users.
Techcrunch event
San Francisco
|
October 27-29, 2025
“As a server administrator you had access to everything. This mainly includes things like internal financial reports, performance reports, dealer scorecards and various dashboards,” the researcher said.
The data released also includes API access to Tata Motors’ fleet management platform, Azuga, which powers the company’s test drive website.
Shortly after discovering the problems, Zveare reported them to Tata Motors in August 2023 through India’s computer emergency response team, known as CERT-In. Later in October 2023, Tata Motors told Zveare that it was working on resolving the AWS issues after securing the first loopholes. However, the company did not say when the issues will be resolved.
Tata Motors confirmed to TechCrunch that all reported flaws had been fixed by 2023, but declined to say whether it notified affected customers that their information had been made public.
“We can confirm that the reported flaws and vulnerabilities have been thoroughly assessed following their identification in 2023 and have been addressed quickly and fully,” Tata Motors communications head Sudeep Bhalla said when contacted by TechCrunch.
“Our infrastructure is regularly monitored by leading cybersecurity firms and we maintain extensive access logs to monitor for unauthorized activities. We also actively work with industry experts and security researchers to strengthen our security posture and ensure timely mitigation of potential risks,” said Bhalla.
#Tata #Motors #confirms #fixed #security #flaws #exposed #company #customer #data #TechCrunch