Indian automotive giant Tata Motors has quietly patched a massive security breach that exposed over 70 terabytes of sensitive data, including hundreds of thousands of customer invoices, internal financial reports, and dealer information. The vulnerabilities, discovered by security researcher Eaton Zveare in 2023, stemmed from exposed AWS keys in the company's e-commerce portal source code.
Tata Motors, India's automotive powerhouse with operations across 125 countries, has confirmed it patched critical security flaws that left a treasure trove of sensitive data wide open to potential attackers. The breach, discovered by security researcher Eaton Zveare, exposed everything from customer personal information to internal financial dashboards through a surprisingly basic oversight.
The vulnerability centered on Tata's E-Dukaan portal, an e-commerce platform for commercial vehicle spare parts. Zveare found that the portal's web source code contained hardcoded AWS private keys - essentially master passwords to the company's cloud infrastructure. "Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data," Zveare told TechCrunch.
What those keys unlocked was staggering. Hundreds of thousands of customer invoices containing names, addresses, and PAN numbers - India's equivalent of Social Security numbers - sat exposed alongside MySQL database backups and Apache Parquet files. The researcher also discovered backdoor admin access to a Tableau account with over 8,000 user records and complete access to Tata's FleetEdge tracking software containing 70+ terabytes of fleet data.
"As server admin, you had access to all of it. This primarily includes things like internal financial reports, performance reports, dealer scorecards, and various dashboards," Zveare explained in his detailed blog post. The exposure even extended to API access for Azuga, the fleet management platform powering Tata's test drive website.
The timeline raises questions about corporate disclosure practices. Zveare reported the vulnerabilities through India's CERT-In in August 2023, with Tata acknowledging the AWS issues by October 2023. However, the company never provided a specific fix date, and when pressed by TechCrunch about customer notification, Tata remained silent.
"We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed," Tata Motors communications head Sudeep Bhalla stated. The company emphasized its regular security audits and collaboration with cybersecurity firms, but the fact that AWS keys were hardcoded in public-facing source code suggests gaps in basic security practices.
