Indian automaker Tata Motors has addressed multiple cybersecurity flaws that left confidential company data and customer information exposed online. The vulnerabilities, which affected its E-Dukaan platform — an online marketplace for purchasing spare parts for Tata’s commercial vehicles — were identified and reported by cybersecurity researcher Eaton Zveare.
Tata Motors, based in Mumbai, manufactures passenger cars, commercial trucks, and defense vehicles, and operates in over 125 countries. According to Zveare, the issue stemmed from exposed private keys embedded within the web source code of the E-Dukaan portal. These keys provided direct access to Tata Motors’ Amazon Web Services (AWS) account, enabling potential unauthorized access to critical internal data.
The researcher discovered that this flaw exposed hundreds of thousands of invoices containing sensitive customer details such as names, mailing addresses, and Indian Permanent Account Numbers (PAN) — a government-issued tax identifier. Additionally, backups from MySQL databases and Apache Parquet files contained private communications and customer records.
Perhaps more concerning was the access granted to over 70 terabytes of data from FleetEdge, Tata’s fleet-tracking system, and backdoor admin privileges to a Tableau account that held financial reports, dealer performance dashboards, and other confidential company analytics. Zveare emphasized that he did not exploit or download any large data sets to avoid triggering alerts or causing damage.
He also found exposed API credentials linked to Tata Motors’ Azuga fleet management platform, which powers its test drive booking service — potentially putting more customer data at risk.
Upon discovering these issues, Zveare responsibly reported them in August 2023 to CERT-In (India’s Computer Emergency Response Team). Tata Motors later acknowledged the report and confirmed that it began securing its AWS infrastructure by October 2023.
In a statement, Sudeep Bhalla, Tata Motors’ Head of Communications, confirmed that all vulnerabilities were “promptly and fully addressed” the same year. He added that the company regularly undergoes cybersecurity audits by top security firms, maintains detailed access logs, and works closely with industry experts to prevent future breaches.
While Tata Motors did not disclose whether affected customers were notified, the company assured that its systems are now fortified and under active monitoring to ensure continued data protection.
This incident underscores the growing cybersecurity challenges faced by major corporations as they expand their digital operations — and the critical importance of securing cloud-based systems that handle vast amounts of sensitive data.
