Tata Motors confirms it fixed security flaws, which exposed company and customer data

Indian automotive elephantine Tata Motors has fixed a bid of information flaws that exposed delicate interior data, including idiosyncratic accusation of customers, institution reports, and information related to its dealers.

Security researcher Eaton Zveare told TechCrunch that helium discovered the flaws successful Tata Motors’ E-Dukaan unit, an e-commerce portal for buying spare parts for Tata-made commercialized vehicles. Headquartered successful Mumbai, Tata Motors produces rider cars, arsenic good arsenic commercialized and defence vehicles. The institution has a presence successful 125 countries worldwide and 7 assembly facilities, per its website.

Zveare said helium recovered that the portal’s web root codification included the backstage keys to entree and modify information wrong Tata Motors’ relationship connected Amazon Web Services, the researcher said successful a blog post.

The exposed data, Zveare told TechCrunch, included hundreds of thousands of invoices containing lawsuit information, specified arsenic their names, mailing addresses, and imperishable relationship number, oregon PAN, a ten-character unsocial identifier issued by the Indian government.

“Out of respect for not causing immoderate benignant of alarm doorbell oregon monolithic egress measure astatine Tata Motors, determination were nary attempts to exfiltrate ample amounts of information oregon download excessively ample files,” the researcher told TechCrunch.

There were besides MySQL database backups and Apache Parquet files that included assorted bits of backstage lawsuit accusation and communication, the researcher noted.

The AWS keys besides enabled entree to implicit 70 terabytes of information related to Tata Motors’ FleetEdge fleet-tracking software. Zveare besides recovered backdoor admin entree to a Tableau account, which included information of implicit 8,000 users.

“As server admin, you had entree to each of it. This chiefly includes things similar interior fiscal reports, show reports, trader scorecards, and assorted dashboards,” the researcher said.

The exposed information besides included API entree to Tata Motors’ fleet absorption platform, Azuga, which powers the company’s trial thrust website.

Shortly aft discovering the issues, Zveare reported them to Tata Motors done the Indian machine exigency effect team, known arsenic CERT-In, successful August 2023. Later successful October 2023, Tata Motors told Zveare that it was moving connected fixing the AWS issues aft securing the archetypal loopholes. However, the institution did not accidental erstwhile the issues were fixed.

Tata Motors confirmed to TechCrunch that each the reported flaws were fixed successful 2023, but would not accidental if it notified affected customers that their accusation was exposed.

“We tin corroborate that the reported flaws and vulnerabilities were thoroughly reviewed pursuing their recognition successful 2023 and were promptly and afloat addressed,” said Tata Motors communications caput Sudeep Bhalla, erstwhile contacted by TechCrunch.

“Our infrastructure is regularly audited by starring cybersecurity firms, and we support broad entree logs to show for unauthorized activity. We besides actively collaborate with manufacture experts and information researchers to fortify our information posture and guarantee timely mitigation of imaginable risks,” said Bhalla.