Tata Motors Resolves Significant Security Vulnerabilities Exposing Sensitive Data
Overview of Security Flaws in E-Dukaan
Tata Motors, a prominent player in the global automotive market, has addressed a series of security vulnerabilities that compromised sensitive internal data, including customer information and company reports. The breaches were linked to the company’s E-Dukaan platform, which functions as an e-commerce portal for purchasing spare parts for commercial vehicles manufactured by Tata.
Discovery of Security Issues
The vulnerabilities were uncovered by security researcher Eaton Zveare, who disclosed his findings to TechCrunch. The E-Dukaan platform, operated from the company’s headquarters in Mumbai, was found to contain web source code that improperly included private keys. These keys grant access to critical data stored on Amazon Web Services (AWS).
Types of Exposed Data
Zveare revealed that the compromised data encompassed hundreds of thousands of invoices featuring sensitive customer details, such as names, addresses, and PAN (Permanent Account Number), an essential identifier issued by the Indian government.
To mitigate any potential harm or panic, Zveare refrained from downloading substantial amounts of data or performing extensive data exfiltration. Nevertheless, additional sensitive information available in the compromised environment included MySQL database backups and Apache Parquet files, which contained various forms of private customer correspondence and information.
The AWS keys also permitted access to a significant repository of data associated with Tata Motors’ FleetEdge fleet-tracking software, amounting to over 70 terabytes. Additionally, Zveare discovered unauthorized administrative access to a Tableau account encompassing data from more than 8,000 users.
Details of the Internal Data Exposed
According to Zveare, the compromised data included critical internal documents such as financial reports, performance analytics, dealer scorecards, and various operational dashboards. The data leak also provided API access to Tata Motors’ Azuga fleet management platform, which is integral to the company’s customer interaction through test drives.
Reporting and Remediation Actions
Upon identifying these vulnerabilities in August 2023, Zveare promptly alerted Tata Motors through India’s Computer Emergency Response Team (CERT-In). Subsequently, in October 2023, the company communicated that it was actively working to rectify the vulnerabilities identified on the AWS platform.
While Tata Motors has confirmed that all reported flaws were addressed within the year, the company has not indicated whether customers whose data may have been compromised were informed of the exposure.
Statement from Tata Motors
In a statement to TechCrunch, Tata Motors’ communications head, Sudeep Bhalla, confirmed the thorough review and resolution of the reported vulnerabilities. He stated, "Our infrastructure is regularly audited by leading cybersecurity firms, and we maintain comprehensive access logs to monitor for unauthorized activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and ensure timely mitigation of potential risks."
Conclusion
Tata Motors has taken significant steps to resolve the security vulnerabilities that exposed sensitive information related to customers and internal operations. The company’s commitment to cybersecurity practices emphasizes its ongoing efforts to safeguard data integrity and protect customer privacy in an increasingly complex digital landscape.
By ensuring a well-structured and keyword-rich format, this article aims to enhance visibility and engagement while accurately conveying the critical aspects of the security incident at Tata Motors.
