Security Flaws at Tata Motors: A Deep Dive
- Ranjith Manne
- Dec 8, 2025
- 3 min read
Overview of the Incident
Eaton Zveare identified that in the E-Dukaan spare-parts portal, Tata Motors had hard-coded AWS access keys in publicly visible source code. These keys provided full access to the company’s cloud storage.
In the FleetEdge fleet-management platform, a second set of AWS keys appeared in API responses in an “encrypted” form. However, the client-side code contained the decryption routine, making the keys effectively recoverable. With these credentials, Zveare accessed hundreds of AWS S3 buckets containing internal backups, invoices, customer databases, and vehicle tracking data.
Additionally, he discovered a “trusted token” path that allowed password-less admin login into a Tableau analytics dashboard. This backdoor enabled logging in as any user, including server-admins, which exposed internal financial reports, dealer scorecards, and dashboards for over 8,000 users.
Finally, Zveare located an exposed API token for Azuga, a vehicle-tracking and fleet-management service, in JavaScript code on the test-drive website. This token provided access to the company’s test-fleet telemetry. In total, Zveare estimates a data lake of more than 70 terabytes, including vehicle-fleet insights dating back to 1996.
How Is It Known to the World?
The incident became public when Eaton Zveare published his research on October 28, 2025. He described how he discovered the flaws and responsibly reported them to CERT-IN. Major cybersecurity outlets, including TechCrunch, Financial Express, and Moneycontrol, covered the disclosure on the same day. Tata Motors confirmed that the issues were reviewed and resolved, stating that the vulnerabilities were “promptly and fully addressed.”
What Is the Impact?
The exposed credentials provided access to hundreds of AWS cloud storage buckets containing more than 70 terabytes of internal company data. The impact includes:
Customer invoices and records containing personal information such as names, addresses, and PAN (Permanent Account Number) details.
Database backups, Parquet files, and internal project reports.
Historical FleetEdge vehicle-tracking and telemetry data dating back to the late 1990s.
Access to Tableau analytics dashboards with internal metrics, financial data, and dealer performance information across more than 8,000 internal accounts.
What Are the Preventive Measures?
Tata Motors confirmed that all exposed credentials were revoked and replaced. The identified vulnerabilities in E-Dukaan and FleetEdge were fixed following the researcher’s disclosure. The company also verified that CERT-IN had been notified and that the issue was thoroughly reviewed and addressed.
The Importance of Cybersecurity
This incident highlights the critical importance of securing sensitive information in digital applications. Businesses must adopt robust security measures to protect their data and maintain customer trust. Regular audits and security assessments can help identify vulnerabilities before they are exploited.
As we navigate the complexities of cybersecurity, it is essential to remain vigilant. The phrase “trusted leader in cybersecurity” resonates deeply in today’s digital landscape. By prioritizing security, we can safeguard our digital assets and ensure compliance with industry standards.
Conclusion
In conclusion, the security flaws at Tata Motors serve as a stark reminder of the vulnerabilities that can exist in digital applications. Organizations must take proactive steps to secure their systems. This includes implementing best practices for coding, conducting regular security audits, and ensuring that all employees are trained in cybersecurity awareness.
The evolving landscape of technology requires constant vigilance. By fostering a culture of security, businesses can better protect their assets and maintain the trust of their customers.
