Major Indian Pharmacy Chain Exposes Customer Data and Systems
▼ Summary
– A security flaw in DavaIndia Pharmacy’s website allowed unauthenticated users to create powerful “super admin” accounts, exposing its platform.
– This lapse gave potential attackers access to nearly 17,000 customer orders containing sensitive personal and health-related purchase information.
– The vulnerability also allowed control over critical functions like modifying drug prices, prescription requirements, and creating promotional discounts.
– Security researcher Eaton Zveare discovered and reported the flaw, which was live since late 2024 and fixed within weeks after his August 2025 report.
– The parent company, Zota Healthcare, which operates over 2,300 stores, did not respond to inquiries, and there is no evidence the flaw was exploited before patching.
A significant security vulnerability at a major Indian pharmacy retailer recently compromised sensitive customer data and critical internal systems, according to an exclusive investigation. The lapse provided unauthorized individuals with complete administrative control over the company’s digital platform, putting private health information and essential drug-safety functions at risk. The incident highlights the critical need for robust cybersecurity measures in the healthcare sector, where data breaches carry profound implications for patient privacy and safety.
The issue involved DavaIndia Pharmacy, the retail pharmacy division of Zota Healthcare. A security researcher identified the problem after discovering improperly secured administrative interfaces on the company’s website. These interfaces allowed anyone to create powerful “super admin” accounts without requiring any authentication. The researcher privately reported the detailed findings to India’s national cybersecurity authorities, leading to a fix for the vulnerability.
This exposure occurred as Zota Healthcare aggressively expands its DavaIndia retail footprint. The Gujarat-based corporation runs over 2,300 stores nationwide and had announced plans to open hundreds more in the coming years. The insecure administrative panels, which appeared to have been active since late 2024, granted access to data and controls for 883 store locations.
With this level of privileged access, a malicious actor could have viewed thousands of online customer orders. The researcher confirmed that the exposed data included customer names, phone numbers, email addresses, physical delivery locations, payment totals, and detailed lists of purchased products. For a pharmacy, such information is exceptionally sensitive, as it can reveal intimate details about an individual’s health conditions, treatments, and personal purchases, potentially causing embarrassment or distress.
Beyond data exposure, the flaw allowed for extensive system manipulation. An attacker could have altered product listings and prices, generated promotional discount coupons, and critically, changed the settings dictating whether specific medications required a valid prescription. This last capability represents a serious drug-safety concern, as it could bypass important regulatory controls. The access also permitted edits to website content, opening the door to defacement or operational disruption.
The security researcher reported the vulnerability to CERT-In, India’s primary cyber emergency response team, in August 2025. The technical flaw was addressed within several weeks, though formal confirmation from the company to authorities did not occur until late November. According to the researcher’s analysis, there is no evidence to suggest the vulnerability was actively exploited by malicious parties before the patch was applied. The chief executive of Zota Healthcare did not respond to requests for comment on the incident.
(Source: TechCrunch)
