techcrunch.com
Jagmeet Singh
6:30 PM PDT · October 28, 2025

A security researcher found the Indian automotive giant exposing personal information of its customers, internal company reports, and dealers’ data. Tata confirmed it fixed the issues.

Indian automotive giant Tata Motors has fixed a series of security flaws that exposed sensitive internal data, including personal information of customers, company reports, and data related to its dealers.

Security researcher Eaton Zveare told TechCrunch that he discovered the flaws in Tata Motors’ E-Dukaan unit, an e-commerce portal for buying spare parts for Tata-made commercial vehicles. Headquartered in Mumbai, Tata Motors produces passenger cars, as well as commercial and defense vehicles. The company has a presence in 125 countries worldwide and seven assembly facilities, per its website.

Zveare said he found that the portal’s web source code included the private keys to access and modify data within Tata Motors’ account on Amazon Web Services, the researcher said in a blog post.

The exposed data, Zveare told TechCrunch, included hundreds of thousands of invoices containing customer information, such as their names, mailing addresses, and permanent account number (PAN), a 10-character unique identifier issued by the Indian government.

“Out of respect for not causing some type of alarm bell or massive egress bill at Tata Motors, there were no attempts to exfiltrate large amounts of data or download excessively large files,” the researcher told TechCrunch.

There were also MySQL database backups and Apache Parquet files that included various bits of private customer information and communication, the researcher noted.

The AWS keys also enabled access to over 70 terabytes of data related to Tata Motors’ FleetEdge fleet-tracking software. Zveare also found backdoor admin access to a Tableau account, which included data of over 8,000 users.
“As server admin, you had access to all of it. This primarily includes things like internal financial reports, performance reports, dealer scorecards, and various dashboards,” the researcher said.

The exposed data also included API access to Tata Motors’ fleet management platform, Azuga, which powers the company’s test drive website.

Shortly after discovering the issues, Zveare reported them to Tata Motors through the Indian computer emergency response team, known as CERT-In, in August 2023. Later in October 2023, Tata Motors told Zveare that it was working on fixing the AWS issues after securing the initial loopholes. However, the company did not say when the issues were fixed.

Tata Motors confirmed to TechCrunch that all the reported flaws were fixed in 2023 but would not say if it notified affected customers that their information was exposed.

“We can confirm that the reported flaws and vulnerabilities were thoroughly reviewed following their identification in 2023 and were promptly and fully addressed,” said Tata Motors communications head Sudeep Bhalla, when contacted by TechCrunch.

“Our infrastructure is regularly audited by leading cybersecurity firms, and we maintain comprehensive access logs to monitor for unauthorized activity. We also actively collaborate with industry experts and security researchers to strengthen our security posture and ensure timely mitigation of potential risks,” said Bhalla.

Reuters News has restored to its website an investigation into mercenary hacking after a New Delhi court lifted a takedown order it issued last year.
The article, originally published on Nov. 16, 2023, and titled “How an Indian startup hacked the world,” detailed the origins and operations of a New Delhi-based cybersecurity firm called Appin. Reuters found that Appin grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians and wealthy elites around the globe.

CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.

Rapid7 investigated suspicious behavior emanating from the installation of Notezilla, RecentX, & Copywhiz. These installers are distributed by Conceptworld.

Conceptworld software installers trojanized with data-stealing malware. Users of Notezilla, RecentX, and Copywhiz urged to check for compromise.

Apple's warnings in late October that Indian journalists and opposition figures may have been targeted by state-sponsored attacks prompted a forceful Behind closed doors, senior officials from Modi's administration demanded that Apple soften the political impact of the state-sponsored warnings, according to Washington Post.

A mandatory app exposed the personal information of students and teachers across the country for over a year.

In a quiet alcove of the opulent Leela Palace hotel in Delhi, two British corporate investigators were listening intently to a young Indian entrepreneur as he made a series of extraordinary confessions.

The 28-year-old computer specialist Tej Singh Rathore described his role as a player in a burgeoning criminal industry stealing secrets from people around the world. He had hacked more than 500 email accounts, mostly on behalf of his corporate intelligence clients.

New details connect police in India to a plot to plant evidence on victims' computers that led to their arrest.