Indian auto giant Tata Motors has patched a series of security flaws that exposed sensitive internal data, including personal customer information, company reports and data related to its dealers.
Security researcher Eaton Zveare told TechCrunch that he discovered the flaws at Tata Motors E-Dukaan unit, an e-commerce portal to buy spare parts for Tata commercial vehicles. Headquartered in Mumbai, Tata Motors manufactures passenger cars as well as commercial and defense vehicles. The company has one presence in 125 countries worldwide and seven assembly plants, according to its website.
Zveare said he found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ Amazon Web Services account, the researcher said in a blog post.
The exposed data, Zveare told TechCrunch, included hundreds of thousands of invoices that contained customer information such as their names, mailing addresses and Permanent Account Number (PAN), a unique 10-character identifier issued by the Indian government.
“Out of respect for not causing any kind of alarm bells or huge exit bill to Tata Motors, there were no attempts to infiltrate large amounts of data or download excessively large files,” the researcher told TechCrunch.
There were also MySQL database backups and Apache Parquet files that contained various pieces of private information and customer communications, the investigator noted.
The AWS keys also allowed access to more than 70 terabytes of data related to Tata Motors FleetEdge fleet tracking software. Zveare also found administrator access to a Tableau account, which included data from more than 8,000 users.
Techcrunch event
San Francisco
|
27-29 October 2025
“As a server administrator, you had access to all of this. This mainly includes things like internal financial reports, performance reports, dealer scorecards and various dashboards,” the researcher said.
The exposed data also included API access to Tata Motors’ fleet management platform Azuga, which powers the company’s test drive website.
Shortly after discovering the problems, Zveare reported them to Tata Motors through India’s computer emergency response team, known as CERT-In, in August 2023. Later, in October 2023, Tata Motors told Zveare that it was working to fix the AWS problems after securing the initial vulnerabilities. However, the company did not say when the problems were fixed.
Tata Motors confirmed to TechCrunch that all reported flaws were patched in 2023, but would not say whether it notified affected customers that their information had been exposed.
“We can confirm that the reported defects and vulnerabilities were thoroughly reviewed after they were identified in 2023 and addressed immediately and fully,” Tata Motors chief communications officer Sudeep Bhalla said when contacted by TechCrunch.
“Our infrastructure is regularly audited by leading cybersecurity companies and we maintain comprehensive access logs to monitor for unauthorized activity. We also actively work with industry experts and security researchers to strengthen our security posture and ensure early mitigation of potential risks,” said Bhalla.
