Tata Motors Patches Security Flaws That Exposed Customer Data
▼ Summary
– Security researcher Eaton Zveare discovered vulnerabilities in Tata Motors’ E-Dukaan portal that exposed private AWS keys and sensitive internal data.
– The exposed data included hundreds of thousands of customer invoices with personal information like names, addresses, and government-issued PAN numbers.
– The security flaws also allowed access to 70 terabytes of fleet-tracking data, backdoor admin access to a Tableau account, and internal company reports and dashboards.
– Zveare reported the issues to Tata Motors in August 2023, and the company confirmed all flaws were fixed in 2023 but did not disclose if affected customers were notified.
– Tata Motors stated they regularly audit their infrastructure with cybersecurity firms and collaborate with experts to strengthen their security posture.
A significant security vulnerability within Tata Motors’ E-Dukaan e-commerce portal has been successfully resolved after a researcher discovered it could have exposed a vast amount of sensitive customer and corporate information. The flaws, which have since been patched, involved private keys that granted extensive access to internal company data stored on Amazon Web Services.
Security researcher Eaton Zveare identified the issues within the portal, a platform dedicated to selling spare parts for Tata’s commercial vehicles. He found that the web source code contained AWS private keys. These keys provided the ability to both view and alter data within the company’s cloud account. The exposed information was substantial, reportedly including hundreds of thousands of customer invoices. These documents contained personal details such as customer names, physical mailing addresses, and their Permanent Account Numbers (PAN), a critical identification number issued by the Indian government.
Zveare emphasized a responsible approach to his discovery. To avoid triggering system alarms or incurring massive data transfer costs for the company, he deliberately refrained from downloading large volumes of information. Beyond the invoices, the security lapse also exposed MySQL database backups and Apache Parquet files. These files held various other pieces of private customer data and internal communications.
The scope of the vulnerability extended far beyond customer records. The compromised AWS keys also provided entry to over 70 terabytes of data associated with Tata Motors’ FleetEdge software, a system used for tracking vehicle fleets. Furthermore, Zveare uncovered a backdoor that granted administrative access to a Tableau analytics account. This account contained data related to more than 8,000 users. As a server administrator, one would have had visibility into a wide array of confidential corporate materials, including internal financial reports, performance analyses, dealer scorecards, and numerous operational dashboards. The breach also extended to API access for the Azuga fleet management platform, which supports the company’s test drive website.
The researcher responsibly disclosed his findings to Tata Motors through India’s Computer Emergency Response Team (CERT-In) in August 2023. The company acknowledged the report and later informed Zveare in October that it was addressing the AWS-related problems after securing the initial points of entry. Tata Motors has confirmed that all the reported security flaws were fully remediated during 2023. However, the automotive giant has not disclosed whether it informed individual customers that their personal data may have been exposed during the period the vulnerability was active.
A company spokesperson, Sudeep Bhalla, stated that the identified vulnerabilities were thoroughly reviewed and promptly addressed. He added that Tata Motors’ infrastructure undergoes regular audits by leading cybersecurity firms and that the company maintains comprehensive access logs to monitor for any unauthorized activity. Bhalla also highlighted the company’s policy of collaborating with industry experts and security researchers to continuously strengthen its security defenses and ensure the timely mitigation of potential risks.
(Source: TechCrunch)
