Hacking India's largest automaker: Tata Motors
49 comments
·October 29, 2025thelastgallon
cjs_ac
TCS also contracts for Marks & Spencer, and the Co-op, both of which were also taken offline by hacking earlier this year.
fencepost
Note that M&S dropped TCS in July following the recovery. https://www.ft.com/content/289ec371-2ed4-425a-9bd0-c34e6db39... and elsewhere.
thousand_nights
> M&S chair, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party.”
20 bucks says this sophisticated impersonation was social engineering a $5/hour outsourced customer support employee
> The attack is expected to lower operating profits by up to £300mn this year.
that's not counting the reputation and brand damage. M&S is seen as a premium retailer and this whole hack made them seem utterly incompetent and unreliable
> had decided to opt for another service provider after the process had completed
i wonder where this other provider is based. i think i'm gonna place another 20 bucks on this.
> The retailer continues to use the Indian group for other services.
lol.
Mistletoe
At what point is it more believable that these are inside jobs done on purpose vs. incompetence? I guess that’s just Hanlon’s Razor though.
tencentshill
When you pay your support employees so little, it's not difficult for someone from a wealthier place to bribe them.
cjbgkagh
I have heard there is a growing trend of hackers paying kickbacks to insiders, certainly makes hacking easier.
jacquesm
It's perfectly believable. Whether it is more believable or not is a toss up. If you employ such a large number of people there are bound to be a couple of bad apples, and unless you have very good internal processes and monitoring it isn't all that hard to imagine someone doing something they shouldn't be doing. But absent hard evidence that it happened that way it interesting speculation but no more than that, besides, it can be impossible to distinguish between the two even if you have evidence of an inside job that looks like incompetence!
zdragnar
Based on my experience working alongside TCS, incompetence seems far more likely. If we'd asked for a back door, we'd have gotten a solid wall.
Then again, my experience may have left me a little jaded.
rdtsc
> October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
speckx
The fact that they put their AWS secret keys on their website is incredible.
darth_avocado
Even more importantly, why do the root keys expose EVERYTHING? Do they just have one account for all of their infra?
quickthrowman
That’s exactly the kind of work I’d expect from TCS, I’m not sure why you are surprised.
YetAnotherNick
Sending it with AES encryption(with the key that the client has access to) makes it even worse, as someone knew this shouldn't be shared to client yet they shared it anyway.
horns4lyfe
If you’ve ever worked with Indian outsourcing firms it’s not
null
sharadov
Security for most Indian companies - even conglomerates is a joke.
Look at the websites - most look like they've not been upgraded since the 90s, with endless popups
alephnerd
It's a side effect of pay. Like every other company, you get what you pay for, and for organizations that view web security as a [edit:] Cost Center (eg. Tata Motors) there's no incentive to pay market rate for a Security Engineer - who in India can now demand $60k-100k TCs.
Heck, firms that provide offensive security capabilities to Indian PDs can pay $40k-50k after poaching a junior pentester or exploit developer from a PD.
vrinsd
I understand why someone might this this is a pay issue, but it's goes beyond that.
Culturually, doing something "well"(quality oriented, mindful of end-users) vs. "got it done" (transaction, pragmatic way of looking at things) is the heart of why outsourcing to many different geographical areas (India included) often results in something different than expected.
Also condemning every one in one part of the world as thinking one way is certainly not fair or true, but there are definitely unmistakable trends.
trueismywork
I dont think there's much culture when the population is just overloaded with work and traffic and stress
Nextgrid
Pay should reward doing something well vs merely doing something. Of course, this would generally mean you need to pay more than the competitor which will happily pay for merely doing something. So yes it is about pay.
dyauspitr
It is about pay. If you don’t have someone working on 5 different items continuously straining their bandwidth they tend to do better work.
alephnerd
Becuase it is about pay.
For example, most of the security portfolio that GCP provides is developed and product managed out of the Google Hyderabad office, as is a fairly major Israeli CNAPP product that starts with "A", a large CNAPP from a public Israeli-American security company that is directly positioned against Wiz, and a major security vuln mgmt and redteaming tool used by the DoD, GitHub, and Google. But all these employers pay $60k-130k TC for mid-career security professionals in India.
We scoop up anyone who is remotely competent at transnational firms or startups because we can afford to pay Western salaries, and traditional conglomerates in India largely do not care about web exploits unless they are a web platform first and foremost.
Tata Motors - being an automotive company - does not care about web development for the same reason GM doesn't as well: it isn't tangibly connected to revenue generation. As such, they will just contract it out to TCS (a Tata Group company, but both are independent of each other) at the lowest contract rate possible.
porridgeraisin
That culture at WITCH and WITCh adjacent companies is itself a result of the pay.
Ylpertnodi
> endless popups
Ypu get popups? What are you using to browse? IE5?
I sometimes get 'this site is trying to open another window -allow/ block?': answer is always 'No'.
fakedang
Not ad popups, site UI popups.
Another example, financial services publicly traded company with a recent 99% profit decline:
renewiltord
In site modals.
paxys
This shouldn't be a surprise for anyone who has worked with TCS contractors in the past.
ksynwa
So the author got nothing but a thank you out of it? That's a shame.
tehlike
At least there was a "thank you".
Some go on to sue such researchers.
paxys
Yup, they said thank you and took action only because this was a US-based researcher. Had any Indian dared to do this they'd be in for a world of pain. Not through a lawsuit, but criminal charges.
DaSHacka
Typical 'payout' for ""responsible"" disclosure.
null
driverdan
I'm curious, why wait so long to publish this? The incident was in 2023.
debarshri
This is a pessimistic comment.
I'm a cofounder of a data and identity security startup operating specifically in APAC. Data security in india a joke.
I would argue even with DPDPA, RBI C-Site and cyber resilience framework from SEBI, it is just going to not happen here.
The list PAN card the blog is taking about is probably already leaked by some other services.
The recent flipkart cash on delivery scams [1] are example of how your personal information is just out there in wild in india, open for exploitation.
There are lot of who do security in good faith (often driven by compliance) and lot of them are our customers too but I hope to see rest of indian tech ecosystem take security seriously.
[1] https://www.reddit.com/r/FuckFlipkart/comments/1hhrw9w/what_...
alephnerd
I've dealt with Indian companies for security sales and I'd say the newer generation of companies like Razorpay (YC W15) are decent at SecOps, but the older and more established companies suck at it and will continue to suck at it until there is a tangible regulatory incentive to enhance security postures.
It also appears to be a side effect of compensation - why would mid-career security professional want to earn ₹15 LPA TC working for a legacy corporation if they have the skills to land at a security MNC that can afford to pay ₹35-50 LPA in TC.
Ofc, it's us foreign investors who are able to afford those higher TCs ;) - especially if we can convert someone who was mid-career in the US but had to return to India due to family or visa issues.
It reminds me of how the Israeli security scene was 10-15 years ago, with similar problems around compensation and brain drain to MNC offices.
spprashant
This is embarrassing.
connectsnk
Are there any open source tools that scans the code and detects such gaffes
yahoozoo
Superpower by 2027.
fakedang
I'll just leave this here:
> September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated. September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active. October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done. October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Stay classy TCS.
Related: Jaguar Land Rover hack cost UK economy an estimated $2.5 billion, report says: https://news.ycombinator.com/item?id=45668008
The 'tech' for both these is by guess who? TCS!
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
[1] https://en.wikipedia.org/wiki/Tata_Group