Tata Motors exposed sensitive customer data via E-Dukaan due to hard-coded AWS keys
Exposure included hundreds of thousands of invoices and 70 TB of FleetEdge telemetry
Admin access revealed MySQL backups and Tableau dashboards accessible to over 8,000 users
Indian automotive maker Tata Motors has fixed a series of security vulnerabilities that left sensitive customer records.
Security researcher Eaton Zveare discovered hard-coded Amazon Web Services (AWS) keys and other flaws in Tata Motors’ E-Dukaan spare-parts portal that granted administrative access to cloud storage and analytics systems, enabling access to invoices, database backups and internal dashboards. Tata Motors confirmed the reported vulnerabilities were addressed in 2023.
According to the researcher and other, the exposed material included hundreds of thousands of customer invoices containing names, mailing addresses and Permanent Account Numbers (PAN); MySQL backups and Apache Parquet files with customer communications; administrative access to a Tableau instance holding internal financial and dealer scorecard dashboards for more than 8,000 users; and more than 70 terabytes of historical vehicle and fleet telemetry tied to the company’s FleetEdge service.
How the Flaw Worked?
Zveare said the primary weakness was poor key management. Private AWS credentials were found in publicly accessible source code for the E-Dukaan portal and similarly weak client-side protections allowed encrypted keys to be decrypted on the FleetEdge front end.
Those keys effectively acted as master credentials that could be used to list, view or modify cloud buckets and analytics assets.
The researcher reported the issues to India’s Computer Emergency Response Team (CERT-In) in August 2023 and engaged with Tata Motors as fixes were applied.
Tata Motors reportedly stated that the reported flaws “were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed,” but the company did not confirm whether affected customers had been notified.
Company Response
Tata Motors’ communications head, Sudeep Bhalla, said the company conducts regular audits with cybersecurity firms and maintains access logs to detect unauthorised activity. The firm also said it works with security researchers to strengthen its posture.
Security experts say exposed credentials and admin access are high-impact failures because they allow broad visibility into both personally identifiable information and sensitive corporate intelligence, from customer PANs to dealer performance metrics and fleet-tracking histories.
Even where no mass exfiltration is detected, such exposures raise risks of fraud, identity theft and industrial spying.
