Indian auto giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data including customer personal information, company reports and dealer-related data.
Security researcher Eaton Zuber told TechCrunch that he discovered the flaw in Tata Motors' E-Dukaan division, an e-commerce portal for purchasing spare parts for Tata commercial vehicles. Tata Motors, headquartered in Mumbai, produces passenger cars as well as commercial and defense vehicles. The company has a presence in 125 countries and seven assembly facilities, according to its website.
Zuber found that the portal's web source code contained private keys to access and modify data in Tata Motors accounts on Amazon Web Services, researchers said in a blog post.
Zubair told TechCrunch that the leaked data included hundreds of thousands of invoices containing customer information such as names, mailing addresses, and permanent account numbers (PANs, a 10-character unique identifier issued by the Indian government).
“At Tata Motors, no attempt was made to exfiltrate large amounts of data or download excessively large files, in deference to not causing any kind of alarm bells or hefty outbound charges,” researchers told TechCrunch.
There were also MySQL database backups and Apache Parquet files containing various pieces of customers' personal information and communications, researchers noted.
AWS keys also gave access to over 70 terabytes of data related to Tata Motors' fleet tracking software, FleetEdge. Zveare also discovered backdoor administrator access to a Tableau account that contained data for over 8,000 users.
tech crunch event
San Francisco | October 27-29, 2025
“The server administrator had access to all of it, primarily internal financial reports, performance reports, dealer scorecards, and various dashboards,” the researchers said.
The leaked data also included API access to Azuga, the fleet management platform that powers Tata Motors' test drive website.
Zuvea reported the issue to Tata Motors through India's Computer Emergency Response Team, known as CERT-In, in August 2023, shortly after discovering the issue. In late October 2023, Tata Motors informed Zuvea that it was working on fixing the AWS issue after securing an initial loophole. However, the company did not say when the issue would be fixed.
Tata Motors confirmed to TechCrunch that all reported flaws will be fixed in 2023, but declined to say whether affected customers were notified that their information had been compromised.
“We can confirm that once the reported flaws and vulnerabilities were identified in 2023, they were thoroughly investigated and quickly and completely addressed,” Sudeep Bala, head of communications at Tata Motors, told TechCrunch.
“Our infrastructure is regularly audited by a leading cybersecurity company and we maintain comprehensive access logs to monitor for fraudulent activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and mitigate potential risks in a timely manner,” Barra said.