Tata Motors, a major Indian automaker, has resolved multiple security vulnerabilities. These flaws had left sensitive internal data exposed, encompassing customer personal information, business records, and data related to their dealerships.
Eaton Zveare, a security researcher, informed TechCrunch of his discovery of these vulnerabilities within Tata Motors’ E-Dukaan division. This unit operates as an e-commerce site for acquiring spare parts for Tata commercial vehicles. Tata Motors, headquartered in Mumbai, manufactures passenger vehicles, as well as commercial and defense vehicles. According to its website, the company has a presence in 125 countries globally, with seven assembly plants.
Zveare stated that he detected private keys within the portal’s web source code. These keys could be used to access and alter data in Tata Motors’ Amazon Web Services account, he noted in a blog post.
Zveare told TechCrunch that the exposed data incorporated hundreds of thousands of invoices. These invoices held customer data, like names, mailing addresses, and permanent account numbers (PAN), which are unique ten-character identifiers issued by the Indian government.
The researcher informed TechCrunch, “Out of respect for not triggering an alarm or significant egress charges at Tata Motors, no attempts were made to extract large volumes of data or download very large files.”
The researcher further mentioned the presence of MySQL database backups and Apache Parquet files, containing diverse pieces of private customer details and communications.
The AWS keys further granted access to over 70 terabytes of data concerning Tata Motors’ FleetEdge fleet-tracking software. Zveare also uncovered backdoor admin access to a Tableau account, featuring data from more than 8,000 users.
Techcrunch event
San Francisco
|
October 27-29, 2025
The researcher stated, “As a server administrator, you had access to everything. This primarily includes internal financial reports, performance reports, dealer scorecards, and a variety of dashboards.”
The compromised data also encompassed API access to Azuga, Tata Motors’ fleet management platform, which supports the company’s test drive website.
Zveare reported these issues to Tata Motors in August 2023 via CERT-In, the Indian computer emergency response team, shortly after discovering them. Tata Motors informed Zveare in October 2023 that they were addressing the AWS issues after securing the initial weaknesses. However, the company did not specify when the fixes were implemented.
Tata Motors verified to TechCrunch that all reported vulnerabilities were corrected in 2023, but declined to comment on whether affected customers were informed about the exposure of their information.
Sudeep Bhalla, head of communications at Tata Motors, told TechCrunch, “We confirm that the reported flaws and vulnerabilities underwent thorough review following their identification in 2023 and were promptly and fully addressed.”
Bhalla stated, “Our infrastructure is regularly audited by prominent cybersecurity firms, and we keep extensive access logs to detect unauthorized activity. We also actively engage with industry experts and security researchers to improve our security measures and ensure timely resolution of potential risks.”
