Tata Motors confirms it fixed security flaws, which exposed company and customer data

Indian auto giant Tata Motors has patched a series of security flaws that exposed sensitive internal data, including customers’ personal information, company reports and data related to its dealers.

Security researcher Eton Javier told TechCrunch that he discovered the flaws in Tata Motors E-Ducian Unit, an e-commerce portal for purchasing Tata-manufactured commercial vehicle spare parts. Headquartered in Mumbai, Tata Motors manufactures passenger cars as well as commercial and defense vehicles. The company has a Presence in 125 countries worldwide and seven assembly facilities, per its website.

Xavier said he found that the portal’s web source code included private keys to access and modify data within Tata Motors’ account on Amazon Web Services, a researcher Blog post.

The data released to TechCrunch Xavier includes thousands of invoices containing customer information, such as their name, mailing address and Permanent Account Number, or PAN, a ten-character unique identifier issued by the Indian government.

“In respect of not triggering any alarm bells or large exit bills at Tata Motors, no attempt was made to remove large amounts of data or download excessively large files,” the researcher told TechCrunch.

There were also MySQL database backups and Apache Parquet files that included various bits of personal customer information and communications, the researchers noted.

AWS Keys enabled access to more than 70 terabytes of data related to Tata Motors. FleetEdge Fleet-tracking software. Zveare also gained backdoor admin access to a Tableau account, which included data on over 8,000 users.

“As a server administrator, you had access to all of it. This primarily included things like internal financial reports, performance reports, dealer scorecards and various dashboards,” the researcher said.

The exposed data also included API access to Tata Motors’ fleet management platform, Azuga, which powers the company’s test drive website.

Shortly after discovering the problems, Zveare reported it to Tata Motors in August 2023 through the Indian Computer Emergency Response Team known as CERT-In. Later in October 2023, Tata Motors told Zveare that it was working to fix the AWS issues after fixing the initial bugs. However, the company did not say when the problems will be fixed.

Tata Motors confirmed to TechCrunch that all reported flaws were fixed by 2023, but would not say whether it would notify affected customers if their information was exposed.

“We can confirm that reported errors and vulnerabilities were thoroughly reviewed in 2023 upon their detection and promptly and fully resolved,” Tata Motors head of communications Sudeep Bhalla said, when contacted by TechCrunch.

“Our infrastructure is regularly audited by leading cyber security organizations, and we maintain extensive access logs to monitor for unauthorized activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and ensure timely mitigation of potential risks,” said Bhalla.