Indian automotive giant Tata Motors has quietly patched a massive security breach that exposed over 70 terabytes of sensitive data, including hundreds of thousands of customer invoices, internal financial reports, and dealer information. The vulnerabilities, discovered by security researcher Eaton Zveare in 2023, stemmed from exposed AWS keys in the company's e-commerce portal source code.
Tata Motors, India's automotive powerhouse with operations across 125 countries, has confirmed it patched critical security flaws that left a treasure trove of sensitive data wide open to potential attackers. The breach, discovered by security researcher Eaton Zveare, exposed everything from customer personal information to internal financial dashboards through a surprisingly basic oversight.
The vulnerability centered on Tata's E-Dukaan portal, an e-commerce platform for commercial vehicle spare parts. Zveare found that the portal's web source code contained hardcoded AWS private keys - essentially master passwords to the company's cloud infrastructure. "Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data," Zveare told TechCrunch.
What those keys unlocked was staggering. Hundreds of thousands of customer invoices containing names, addresses, and PAN numbers - India's equivalent of Social Security numbers - sat exposed alongside MySQL database backups and Apache Parquet files. The researcher also discovered backdoor admin access to a Tableau account with over 8,000 user records and complete access to Tata's FleetEdge tracking software containing 70+ terabytes of fleet data.
"As server admin, you had access to all of it. This primarily includes things like internal financial reports, performance reports, dealer scorecards, and various dashboards," Zveare explained in his detailed blog post. The exposure even extended to API access for Azuga, the fleet management platform powering Tata's test drive website.
The timeline raises questions about corporate disclosure practices. Zveare reported the vulnerabilities through India's CERT-In in August 2023, with Tata acknowledging the AWS issues by October 2023. However, the company never provided a specific fix date, and when pressed by TechCrunch about customer notification, Tata remained silent.
"We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed," Tata Motors communications head Sudeep Bhalla stated. The company emphasized its regular security audits and collaboration with cybersecurity firms, but the fact that AWS keys were hardcoded in public-facing source code suggests gaps in basic security practices.
This incident reflects broader challenges facing legacy enterprises as they digitize operations. Tata Motors, with seven global assembly facilities and a complex dealer network, represents the kind of traditional manufacturer now managing vast digital ecosystems. The company's response - fixing quietly without public disclosure - follows a pattern common among established firms prioritizing reputation management over transparency.
The automotive sector has become increasingly vulnerable as vehicles generate massive amounts of location, performance, and user data. Similar breaches have hit major automakers across Asia, with companies often taking months or years to fully assess and remediate exposures. Tata's case stands out for the sheer volume of exposed data and the researcher's restraint in not exploiting the access.
What makes this particularly concerning is the dealer network exposure. Automotive dealers often handle financing applications, insurance documents, and service records - creating cascading privacy risks when corporate security fails. The exposed dealer scorecards and performance reports could also reveal competitive intelligence that rivals might find valuable.
For Tata Motors, this represents a significant test of stakeholder trust as the company expands its electric vehicle ambitions and digital services. The firm's stock has remained stable, suggesting investors view this as contained legacy issue rather than systemic risk. But the silence around customer notification could attract regulatory attention as India strengthens its data protection enforcement.
Tata Motors' swift but quiet response to this massive exposure highlights the complex balance enterprises strike between security remediation and reputation management. While the company deserves credit for working with the researcher and implementing fixes, the lack of customer notification raises questions about transparency standards in India's growing digital economy. For an automotive giant managing sensitive fleet data across 125 countries, this incident serves as a costly reminder that basic security hygiene - like never hardcoding credentials - remains the foundation of enterprise cybersecurity.
