Indian automotive big Tata Motors has fastened a sequence of safety flaws that uncovered delicate inner knowledge, together with private info of consumers, firm stories, and knowledge associated to its sellers.
Safety researcher Eaton Zveare informed TechCrunch that he found the issues in Tata Motors’ E-Dukaan unit, an e-commerce portal for getting spare components for Tata-made industrial autos. Headquartered in Mumbai, Tata Motors produces passenger automobiles, in addition to industrial and protection autos. The corporate has a presence in 125 countries worldwide and 7 meeting services, per its web site.
Zveare mentioned he discovered that the portal’s net supply code included the personal keys to entry and modify knowledge inside Tata Motors’ account on Amazon Internet Providers, the researcher mentioned in a blog post.
The uncovered knowledge, Zveare informed TechCrunch, included tons of of hundreds of invoices containing buyer info, akin to their names, mailing addresses, and everlasting account quantity, or PAN, a ten-character distinctive identifier issued by the Indian authorities.
“Out of respect for not inflicting some kind of alarm bell or large egress invoice at Tata Motors, there have been no makes an attempt to exfiltrate giant quantities of information or obtain excessively giant information,” the researcher informed TechCrunch.
There have been additionally MySQL database backups and Apache Parquet information that included varied bits of personal buyer info and communication, the researcher famous.
The AWS keys additionally enabled entry to over 70 terabytes of information associated to Tata Motors’ FleetEdge fleet-tracking software program. Zveare additionally discovered backdoor admin entry to a Tableau account, which included knowledge of over 8,000 customers.
Techcrunch occasion
San Francisco
|
October 27-29, 2025
“As server admin, you had entry to all of it. This primarily consists of issues like inner monetary stories, efficiency stories, seller scorecards, and varied dashboards,” the researcher mentioned.
The uncovered knowledge additionally included API entry to Tata Motors’ fleet administration platform, Azuga, which powers the corporate’s take a look at drive web site.
Shortly after discovering the problems, Zveare reported them to Tata Motors by means of the Indian pc emergency response workforce, referred to as CERT-In, in August 2023. Later in October 2023, Tata Motors informed Zveare that it was engaged on fixing the AWS points after securing the preliminary loopholes. Nevertheless, the corporate didn’t say when the problems have been fastened.
Tata Motors confirmed to TechCrunch that every one the reported flaws have been fastened in 2023, however wouldn’t say if it notified affected prospects that their info was uncovered.
“We are able to verify that the reported flaws and vulnerabilities have been totally reviewed following their identification in 2023 and have been promptly and absolutely addressed,” mentioned Tata Motors communications head Sudeep Bhalla, when contacted by TechCrunch.
“Our infrastructure is repeatedly audited by main cybersecurity companies, and we preserve complete entry logs to observe for unauthorized exercise. We additionally actively collaborate with trade consultants and safety researchers to strengthen our safety posture and guarantee well timed mitigation of potential dangers,” mentioned Bhalla.
