Indian automotive powerhouse Tata Motors has undertaken and completed the remediation of a cluster of critical security vulnerabilities that had left portions of its confidential internal infrastructure exposed. The flaws, which risked revealing a trove of sensitive data — encompassing personal details of customers, proprietary corporate documents, and confidential dealer-related records — were identified and responsibly disclosed by an independent security researcher. These weaknesses, if exploited, could have provided unauthorized individuals with significant insight into the inner workings of one of India’s largest vehicle manufacturers.
The discovery was made by cybersecurity researcher Eaton Zveare, who shared his findings with TechCrunch after uncovering the issues within Tata Motors’ specialized e-commerce division known as *E-Dukaan*. This portal serves as a digital marketplace enabling customers and partners to purchase spare parts for Tata’s extensive line of commercial vehicles. Based in Mumbai, Tata Motors operates at an extraordinary scale, producing not only passenger automobiles but also commercial transport and defense vehicles. According to publicly available company data, the corporation maintains a formidable global presence, conducting business across 125 countries and maintaining seven key assembly facilities dispersed across strategic regions.
In his analysis, Zveare reported that the very framework of the E-Dukaan web portal contained within its source code a set of embedded private access keys. These keys were tied to Tata Motors’ Amazon Web Services (AWS) infrastructure, effectively allowing privileged entry into systems where sensitive operational and customer information resided. As he elaborated in a detailed blog post, these credentials could have permitted malicious actors to manipulate or exfiltrate data from company accounts — a finding that represented a substantial breach potential for an enterprise of Tata Motors’ size and influence.
The scope of the exposed data, as conveyed by Zveare to TechCrunch, was extraordinarily broad. It included vast numbers of invoicing documents — numbering in the hundreds of thousands — each containing personally identifiable customer information such as full names, residential and mailing addresses, and unique government-issued Permanent Account Numbers (PAN). In India, the PAN serves as a core financial identity marker consisting of ten alphanumeric characters, making it particularly sensitive from a privacy and regulatory standpoint.
In explaining his approach, Zveare was careful to stress his adherence to ethical research practices. He intentionally avoided any actions that might trigger panic, disrupt company operations, or generate excessive network usage. In his words, his restraint stemmed from a genuine desire to prevent harm or unnecessary alarm at Tata Motors, as well as to avoid producing large-scale data traffic or downloads that might have resulted in substantial financial costs for the company’s cloud services. This position underscores the importance of responsible disclosure within the cybersecurity community — balancing investigative diligence with respect for privacy and operational stability.
Further scrutiny revealed that additional sensitive assets were also at risk. Among them were MySQL database backups and Apache Parquet files containing fragments of confidential communication and customer correspondence. These records represented a composite of operational data that, when combined, could have provided an almost complete picture of Tata Motors’ internal communications network. More alarmingly, the exposed AWS access keys allowed potential entry to an enormous repository — reportedly exceeding seventy terabytes of stored digital content — directly associated with Tata Motors’ *FleetEdge* platform, a sophisticated fleet-tracking solution designed to monitor vehicle performance and logistics in real time.
Zveare’s research extended even further. He identified a concealed administrative backdoor granting elevated privileges within the company’s Tableau analytical environment, which contained the information of more than eight thousand users. The implications were extensive: as a server administrator, one could view a multitude of dashboards displaying internal financial performance metrics, dealer evaluation reports, and a spectrum of other confidential management data that together form the strategic backbone of corporate decision-making processes.
In addition to internal analytics, the discovery also encompassed exposed application programming interface (API) connections linked to Tata Motors’ *Azuga* fleet management platform — a system powering functionalities such as the company’s online test-drive portal. Through these compromised links, unauthorized users could have theoretically interfaced with real operational systems, underscoring the layered nature of the security breakdown.
Once the vulnerabilities were identified, Zveare proceeded with responsible disclosure protocols. In August 2023, he notified Tata Motors of his findings via India’s national Computer Emergency Response Team, known as CERT-In, the official body overseeing cybersecurity incident management and coordination. Subsequently, by October 2023, Tata Motors responded to confirm that it was actively working on securing the affected AWS environment after addressing the most immediate loopholes. However, at that stage, the company did not disclose precise timelines for the full remediation.
In response to TechCrunch’s inquiry, Tata Motors later affirmed that all identified issues had, in fact, been resolved before the close of 2023. Nonetheless, the company refrained from specifying whether it had issued any direct notifications to customers whose personal data might have been exposed during the window of vulnerability. This omission leaves open questions about the company’s post-incident communication strategy, though it does not diminish the technical completeness of the fix.
Sudeep Bhalla, Tata Motors’ head of corporate communications, issued a formal statement confirming that every reported vulnerability was thoroughly investigated following its identification. He emphasized that Tata Motors acted swiftly and comprehensively to resolve all exposed weaknesses across its systems. Bhalla’s remarks underscored that the organization’s technological infrastructure is subject to recurring audits by prominent cybersecurity firms. He further detailed that Tata Motors employs extensive access logging mechanisms to track and identify any signs of suspicious or unauthorized behavior in real time.
Finally, Bhalla emphasized the company’s forward-looking approach, explaining that Tata Motors maintains continuous collaboration with cybersecurity specialists and independent security researchers. This cooperative framework is intended to strengthen the company’s defenses against evolving digital threats while ensuring that any potential vulnerabilities are mitigated promptly. In essence, the company views these partnerships not merely as reactive measures, but as essential components of a broader, proactive cybersecurity ethos — one that reinforces Tata Motors’ commitment to trust, accountability, and data protection in the modern interconnected automotive industry.
Sourse: https://techcrunch.com/2025/10/28/tata-motors-confirms-it-fixed-security-flaws-that-exposed-company-and-customer-data/
