Indian auto giant Tata Motors has confirmed fixing a series of critical security risks that put highly sensitive data at risk. The company, which recently underwent a demerger – separating its commercial vehicle division from the passenger vehicle one, revealed that almost 70TB of sensitive customer and company data was at risk, which was initially reported in 2023.
The security vulnerabilities were found across multiple digital platforms at Tata Motors, raising serious concerns about the company’s internal data security protocols. The vulnerabilities were discovered and reported by security researcher Eaton Zveare, who publicly disclosed his findings after a protracted remediation process.
The root cause of the widespread data leak was reportedly identified as poor key management across several of Tata Motors’ client-facing systems. The most glaring error involved hardcoded Amazon Web Services (AWS) access keys found directly in the public source code of E-Dukaan, the company’s e-commerce portal for spare parts.
These hardcoded credentials granted unauthorised administrative access to hundreds of the company’s cloud storage buckets.
Tata Motors fixes errors reported in 2023
A similar flaw affected FleetEdge, Tata’s fleet tracking solution, where encrypted AWS keys were easily decrypted via client-side code. This helped to unlock further massive data repositories. The discovery highlighted that highly privileged keys were being used to fetch trivial information, creating an outsized security risk.
The risk from the exposure was immense, consisting of both personal customer information and sensitive corporate intelligence. The compromised data included:
– Hundreds of thousands of customer invoices detailing personal information such as full names, mailing addresses, and the Indian Permanent Account Number (PAN).
– MySQL database backups and private customer communication logs.
– Over 70TB of historical vehicle and fleet insights dating back to 1996 from the FleetEdge data lake.
– Backdoor administrative access to internal Tableau dashboards, which housed sensitive financial reports, dealer scorecards, performance metrics, and data for more than 8,000 internal users.
Zveare first reported the issues in August 2023 through the Indian Computer Emergency Response Team (CERT-In). While Tata Motors’ communications head, Sudeep Bhalla, confirmed that the flaws were fully addressed in 2023, full remediation reportedly dragged on until January 2024, requiring repeated follow-ups from the researcher.
Although Tata Motors has confirmed fixing the issue, according to a report from TechCrunch, the company is yet to publicly comment on whether it has taken steps to notify the millions of potentially affected customers about the exposure, citing a policy to avoid discussing specifics of security matters.
“We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed. Our infrastructure is regularly audited by leading cybersecurity firms, and we maintain comprehensive access logs to monitor for unauthorised activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and ensure timely mitigation of potential risks,” said Sudeep Bhalla, Tata Motors communications head, in a statement to TechCrunch.
