Tata Motors, India’s largest automaker and a major player in the global automotive industry, suffered a catastrophic data exposure that revealed over 70 terabytes of sensitive information through multiple security failures.
The breaches, discovered in 2023, involved exposed AWS credentials on public-facing websites, encrypted keys that were easily decrypted, a Tableau backdoor with zero authentication requirements, and an unprotected API key from fleet management systems.
Each vulnerability independently posed serious risks, but together they created a perfect storm that could have allowed attackers to access customer databases, financial records, invoice data, fleet information spanning decades, and critical administrative systems.
AWS Keys Exposed on E-Dukaan Marketplace
The first critical vulnerability emerged from E-Dukaan, Tata Motors’ spare parts e-commerce platform.
Security researchers discovered plaintext AWS access keys hardcoded directly in the website’s source code.
These credentials granted unrestricted access to Amazon S3 buckets containing an alarming collection of sensitive data, including complete customer database backups, market intelligence reports, hundreds of thousands of invoices with personal identification numbers, and approximately 40 gigabytes of administrative order reports.
The exposure was particularly troubling because the keys were being used to download a single 4-kilobyte file containing tax codes, representing a massive security risk for an extraordinarily minimal operational benefit.
The FleetEdge fleet management platform contained a second set of AWS credentials that appeared encrypted at first glance, suggesting developers had learned from the E-Dukaan mistakes.
However, the encryption was client-side only, meaning anyone with basic technical knowledge could extract and decrypt the keys within seconds.
This represents a dangerous misconception that client-side encryption provides meaningful security when both the encrypted data and decryption keys exist on the same system.
The exposed credentials provided access to approximately 70 terabytes of data stored in a single bucket, including historical fleet intelligence data spanning back to 1996.
The exposure also granted write access to multiple websites, creating opportunities for attackers to inject malware.
The E-Dukaan platform contained hardcoded Tableau credentials in source code comments, but more critically, developers had implemented a flawed authentication system.
The vulnerable code allowed users to obtain “trusted tokens” using only a username and site name, bypassing password requirements entirely.
Security researchers demonstrated they could impersonate any user on the system, including server administrators, gaining complete control over Tableau dashboards containing countless internal projects, financial reports, and dealer-specific information.
This authentication bypass meant that any individual with access to the website source code—not necessarily an authorized user could become an administrator.
The test drive management system relied on an Azuga API key that was hardcoded into JavaScript source code.
This exposed credential provided direct access to the fleet management platform, potentially allowing unauthorized individuals to track vehicle locations and monitor test drive operations in real time.
The vulnerability highlighted a broader pattern of developers treating client-side code as a secure location for sensitive credentials.
The security issues were reported to Tata Motors through India’s Computer Emergency Response Team (CERT-IN) on August 8, 2023, but remediation proved frustratingly slow.
While Tata Motors acknowledged receipt and claimed remediation by September 1, follow-up verification revealed that only 2 out of 4 issues had been addressed and AWS keys remained active on both websites.
It took until January 2024 for the company to fully revoke the exposed credentials after months of back-and-forth communication clarifying specific remediation steps.
These vulnerabilities demonstrated that even major international corporations can succumb to fundamental security mistakes like hardcoding credentials, using pointless client-side encryption, and implementing authentication systems with serious logical flaws.
For customers purchasing vehicles from Tata Motors, these breaches raised serious questions about data protection standards at major automotive organizations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
