Major Data Exposure at Indian Pharmacy Chain
A significant security lapse at one of India's largest pharmacy chains has led to the exposure of customer order data and critical internal systems. The vulnerability reportedly allowed unauthorized individuals to gain complete administrative control over the platform, impacting DavaIndia Pharmacy, the retail arm of Zota Healthcare.
The issue was discovered by security researcher Eaton Zveare, who identified insecure "super admin" application programming interfaces on the DavaIndia website. He privately shared the details with Indian cybersecurity authorities. While the bug has since been fixed and the researcher has disclosed his findings, the incident highlights ongoing security challenges as the company rapidly expands.
Vast Retail Expansion Meets Security Vulnerability
Zota Healthcare operates an extensive network of over 2,300 DavaIndia stores across India, with plans to open an additional 1,200 to 1,500 outlets in the coming years. This rapid growth may have outpaced the implementation of robust security measures.
How the Breach Occurred
According to Zveare, the flaw originated from unsecured administrative interfaces. These interfaces allowed unauthenticated users to create "super admin" accounts with extensive privileges. Such access could enable attackers to:
- View thousands of online orders, including sensitive customer information.
- Modify product listings and pricing.
- Generate discount coupons.
- Alter settings related to prescription requirements for medications.
Scope and Impact of the Exposure
The vulnerable administrative interfaces are believed to have been active since late 2024. Zveare estimates that approximately 17,000 online orders were exposed. The administrative controls for 883 stores were potentially accessible, allowing for changes to pricing, prescription rules, and promotional offers. The researcher also noted that website content could have been altered, leading to defacement or operational disruption.
Pharmacy order data is particularly sensitive, potentially revealing private health conditions, medication details, and other personal purchases. Even without direct evidence of misuse, such data exposure carries significant privacy and patient safety risks.
"Customer information was linked to their orders," Zveare stated. "This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and the products purchased. Since this is a pharmacy, the products being purchased could be considered private and even embarrassing for some people."
Reporting and Resolution
Zveare reported the vulnerability to CERT-In, India's national cyber emergency response agency, in August 2025. The issue was reportedly fixed within weeks. However, formal confirmation from the company was provided to the cyber authorities in late November.
As of the time of reporting, Sujit Paul, CEO of Zota Healthcare, had not responded to inquiries. The researcher indicated that there was no evidence to suggest the vulnerability was exploited before it was patched. This incident underscores the critical need for continuous security vigilance, especially for organizations handling sensitive personal and health data, a key focus of Devignitor Insights.
Stay Tuned to Devignitor Insights for More Updates
