Tata Motors patches security flaws which exposed customer data
What's the story
Tata Motors, a leading Indian automaker, has patched a number of security vulnerabilities that exposed sensitive internal data. The flaws were discovered by security researcher Eaton Zveare in E-Dukaan unit of Tata Motors. This e-commerce platform is used for purchasing spare parts for commercial vehicles manufactured by the company. The exposed information included personal details of customers and data related to dealers.
Data breach
Web source code had private keys to AWS account
Zveare found that the web source code of the E-Dukaan unit contained private keys to access and modify data within its Amazon Web Services (AWS) account. The exposed data included hundreds of thousands of invoices with customer details such as names, mailing addresses, and PAN numbers. Zveare refrained from exfiltrating large amounts of data or downloading excessively large files to avoid causing alarm at Tata Motors.
Data details
Vulnerabilities also exposed fleet-tracking software data
The security flaws also exposed MySQL database backups and Apache Parquet files containing various bits of private customer information and communication. The AWS keys provided access to more than 70TB of data related to the firm's FleetEdge fleet-tracking software. Zveare also found backdoor admin access to a Tableau account, which contained data of more than 8,000 users including internal financial reports, performance reports, dealer scorecards, and various dashboards.
Issue report
Vulnerabilities reported to Tata Motors
Upon discovering the vulnerabilities, Zveare reported them to Tata Motors via CERT-In in August 2023. In October 2023, Tata Motors confirmed that it was working on fixing the AWS issues, after securing the initial loopholes. However, the company did not specify when these issues were resolved. When contacted by TechCrunch, communications head Sudeep Bhalla from Tata Motors confirmed all reported flaws were fixed in 2023, but did not confirm if affected customers had been notified about their exposed information.