Tata Motors Fixes Security Flaws Exposing Customer and Dealer Data
Indian automotive leader Tata Motors has confirmed that it fixed a series of security flaws that exposed sensitive company and customer information. The exposed data included invoices, customer identifiers, internal reports, and database backups.
Security researcher Eaton Zveare discovered these flaws in Tata Motors’ E-Dukaan unit, an e-commerce platform for purchasing spare parts for Tata’s commercial vehicles. The platform’s web source code contained private keys that allowed access to the company’s Amazon Web Services (AWS) account.
How the Exposure Happened
According to Zveare, the exposed AWS keys could access and modify large volumes of company data. This included hundreds of thousands of invoices containing customer names, mailing addresses, and Permanent Account Numbers (PAN) — India’s ten-character tax identifier.
Zveare reported that he did not download large amounts of data to avoid triggering system alerts or causing disruptions. However, the accessible content included MySQL database backups and Apache Parquet files with private communication data.
Access to FleetEdge and Tableau Systems
The researcher also found access to over 70 terabytes of data from Tata Motors’ FleetEdge fleet-tracking software. Additionally, he discovered admin credentials for a Tableau analytics account, exposing data from more than 8,000 users.
This access extended to internal financial reports, performance dashboards, and dealer scorecards. The flaws also provided API access to Tata Motors’ Azuga fleet management system, which supports its test drive operations.
Timeline of Reporting and Resolution
Zveare disclosed the issues to India’s Computer Emergency Response Team (CERT-In) in August 2023. By October 2023, Tata Motors acknowledged the report and began securing the exposed AWS credentials.
The company later confirmed that all identified flaws were resolved in 2023. However, it did not specify whether customers were notified about potential data exposure.
Tata Motors’ Security Statement
In a statement, Tata Motors’ communications head Sudeep Bhalla emphasized that the company “thoroughly reviewed” and “promptly addressed” the reported vulnerabilities.
He added that Tata Motors conducts regular cybersecurity audits through external firms and maintains comprehensive access logs to detect unauthorized activity. The company also collaborates with security researchers and industry experts to strengthen its digital defenses.
Strengthening Cyber Resilience in the Automotive Sector
This incident highlights the growing importance of data security in connected mobility. As vehicles and enterprise systems become increasingly digital, maintaining secure infrastructure is vital. Tata Motors’ response demonstrates a responsible and transparent approach to addressing vulnerabilities and reinforcing trust across its global operations.
How can other manufacturers enhance cybersecurity transparency without compromising operational efficiency?
Explore Business Solutions from Uttkrist and our Partners’, Pipedrive CRM (2X the usual trial with no CC and no commitments) and more uttkrist.com/explore
