Hustler Words – Indian automotive giant Tata Motors has addressed a series of critical security vulnerabilities that inadvertently exposed sensitive company and customer data. The flaws, discovered by security researcher Eaton Zveare, affected the company’s E-Dukaan portal, an e-commerce platform for spare parts of Tata commercial vehicles.
Zveare revealed that the portal’s source code contained private keys granting unauthorized access to Tata Motors’ Amazon Web Services (AWS) account. This exposure potentially allowed malicious actors to access and modify data. The researcher responsibly disclosed the findings through CERT-In in August 2023.
The exposed data included hundreds of thousands of customer invoices containing names, addresses, and PAN numbers, as well as MySQL database backups and Apache Parquet files with private customer information. Access was also granted to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software, and backdoor admin access to a Tableau account containing data of over 8,000 users. This included internal financial reports, performance reports, and dealer scorecards. Furthermore, API access to Tata Motors’ fleet management platform, Azuga, was also compromised.
Related Post
Zveare stated he refrained from downloading large amounts of data to avoid causing alarm or incurring excessive egress charges for Tata Motors.
Tata Motors confirmed to hustlerwords.com that the vulnerabilities were fixed in 2023, but did not comment on whether affected customers were notified. "We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed," said Sudeep Bhalla, head of communications at Tata Motors, in a statement to hustlerwords.com.
Bhalla added that the company regularly audits its infrastructure and collaborates with cybersecurity experts to strengthen its security posture.
Leave a Comment