Indian automobile giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data, including customers’ personal information, company reports and data related to its dealers.
Security researcher Eaton Zephyr told TechCrunch that he discovered the flaws at Tata Motors Electronic shop Unit, an e-commerce portal for purchasing spare parts for commercial vehicles made by Tata. Headquartered in Mumbai, Tata Motors produces passenger cars, as well as commercial and defense vehicles. The company has Present in 125 countries around the world and seven assembly facilities, according to its website.
Zephyr said he found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ Amazon Web Services account, the researcher said in an article. Blog post.
Zephyr told TechCrunch that the exposed data included hundreds of thousands of invoices containing customer information, such as their names, mailing addresses and Permanent Account Number, or PAN, a unique ten-character identifier issued by the Indian government.
“In deference to not causing some kind of alarm bell or huge exit bill at Tata Motors, there were no attempts to exfiltrate large amounts of data or download very large files,” the researcher told TechCrunch.
The researcher noted that there are also MySQL database backups and Apache Parquet files that include various pieces of private customer information and communications.
AWS keys also provided access to more than 70 terabytes of data related to Tata Motors Fleet Edge Fleet tracking software. Zveare also found backdoor administrative access to a Tableau account, which included data from more than 8,000 users.
TechCrunch event
San Francisco
|
October 27-29, 2025
“As the server administrator, you had access to all of that,” the researcher said. “This primarily includes things like internal financial reports, performance reports, reseller scorecards, and various dashboards.”
The exposed data also included access to the application programming interface (API) of Tata Motors’ fleet management platform, Azuga, which powers the company’s test drive website.
Shortly after discovering the issues, Zveare reported them to Tata Motors through the Indian Computer Emergency Response Team, known as CERT-In, in August 2023. Later in October 2023, Tata Motors told Zveare that it was working to fix the AWS issues after securing the initial vulnerabilities. However, the company did not say when the issue was fixed.
Tata Motors confirmed to TechCrunch that all reported flaws had been fixed in 2023, but did not say whether it had notified affected customers that their information had been exposed.
“We can confirm that the reported defects and vulnerabilities were thoroughly reviewed after they were identified in 2023 and were promptly and fully remedied,” Sudeep Bhalla, Tata Motors’ head of communications, said when contacted by TechCrunch.
“Our infrastructure is regularly audited by leading cybersecurity companies, and we maintain comprehensive access logs to monitor unauthorized activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and ensure potential risks are mitigated in a timely manner,” Bhalla said.