Tata Motors Data Breach: Security Flaws Fixed

Tata Motors Addresses Security Vulnerabilities

Tata Motors, a leading automotive manufacturer based in India, recently resolved a number of security weaknesses. These flaws potentially exposed confidential internal data, encompassing customer personal details, internal reports, and information pertaining to its dealer network.

Discovery of the Flaws

Security researcher Eaton Zveare alerted TechCrunch to the discovery of these vulnerabilities within Tata Motors’ E-Dukaan unit. This platform serves as an e-commerce portal for procuring spare parts for commercial vehicles manufactured by Tata.

Tata Motors, with its headquarters in Mumbai, is a significant producer of passenger vehicles, alongside commercial and defense vehicles. The company maintains a global footprint, operating in 125 countries and managing seven assembly plants, as detailed on its official website.

Exposed Data Details

Zveare’s investigation revealed that the portal’s web source code contained private keys. These keys granted access to modify data within Tata Motors’ account on Amazon Web Services (AWS). This discovery was documented in a blog post by the researcher.

The compromised data included hundreds of thousands of invoices. These invoices contained sensitive customer information, such as full names, postal addresses, and the Permanent Account Number (PAN) – a unique 10-digit identifier issued by the Indian government.

To avoid triggering alarms or incurring substantial data egress charges for Tata Motors, the researcher refrained from attempting to extract large volumes of data or download excessively large files.

Further Vulnerabilities Identified

The researcher also identified backups of MySQL databases and Apache Parquet files. These files contained various pieces of private customer information and internal communications.

Access to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software was also possible through the exposed AWS keys. Furthermore, Zveare uncovered backdoor administrative access to a Tableau account, holding data on over 8,000 users.

With server administrator privileges, complete access to all data was attainable. This included internal financial reports, performance analyses, dealer performance evaluations, and a range of dashboards.

API Access Compromised

The exposed data also encompassed API access to Tata Motors’ fleet management platform, Azuga. This platform supports the company’s test drive website.

Reporting and Remediation

Upon discovering these issues in August 2023, Zveare reported them to Tata Motors via the Indian Computer Emergency Response Team (CERT-In). In October 2023, Tata Motors informed Zveare that it was actively addressing the AWS-related vulnerabilities after initially securing the identified loopholes.

However, the company did not provide a specific timeline for the completion of these fixes.

Tata Motors’ Response

Tata Motors confirmed to TechCrunch that all reported flaws were rectified in 2023. However, the company declined to state whether affected customers were notified about the potential exposure of their information.

Sudeep Bhalla, Head of Communications at Tata Motors, stated that the identified flaws and vulnerabilities were thoroughly investigated and fully addressed following their detection in 2023.

Bhalla further emphasized that the company’s infrastructure undergoes regular audits by leading cybersecurity firms. They also maintain comprehensive access logs to monitor for unauthorized activity and actively collaborate with industry experts and security researchers to enhance their security measures and mitigate potential risks.