Indian automotive giant Tata Motors was recently found to have exposed tens of terabytes of sensitive company and customer data due to a series of critical security lapses, according to a report by security researcher Eaton Zveare.
Zveare discovered that two sets of Amazon Web Services (AWS) keys were left exposed across Tata Motors’ online platforms, allowing access to over 70 terabytes of data hosted in hundreds of S3 buckets.
The exposed information included customer invoices, financial documents, internal dashboards, and dealer performance reports.
Exposed keys put data at risk
According to Zveare’s report, the first security breach occurred on E-Dukaan, Tata Motors’ e-commerce platform for spare parts, where plaintext AWS credentials were found embedded directly in the site’s source code.
These credentials provided unrestricted access to internal S3 storage, exposing backups, invoices, and customer databases containing Permanent Account Numbers (PANs), a sensitive government-issued identifier.
A second case involved FleetEdge, Tata’s fleet-tracking solution, in which another pair of AWS keys was “encrypted” client-side but could be easily decrypted with JavaScript.
These credentials exposed what Zveare described as a “massive” 70TB data lake, containing decades of fleet telematics and analytics data stretching back to 1996.
Tableau and API backdoors
Furthermore, Zveare’s deep dive into the company uncovered a backdoor within Tata Motors’ Tableau analytics platform that would allow anyone to log in without a password by spoofing a trusted user token.
By using administrative privileges, he gained access to dashboards and reports for more than 8,000 internal users, revealing sensitive corporate performance data and dealer metrics.
The researcher also discovered an exposed Azuga API key in JavaScript code used by Tata’s test-drive website, granting access to fleet management systems that track company vehicles in real time.
Slow fix, serious lessons
Zveare reported all four vulnerabilities to India’s Computer Emergency Response Team (CERT-In) in August 2023. Tata Motors acknowledged the findings and began patching the issues, though remediation reportedly took several months.
Tata Motors reportedly said all the issues were “promptly and fully addressed,” and that its infrastructure is regularly audited by leading cybersecurity firms, according to the company’s communications head, Sudeep Bhalia. However, the company has yet to confirm whether affected users have been notified.
The disclosures exemplify how exposed credentials and weak access controls can put even major global enterprises at risk, and serve as a cautionary tale for organizations handling sensitive customer data.
A dataset of 183 million credentials surfaced online, exposing users and raising new security concerns for businesses. This includes many Gmail users.
