Indian pharmacy chain giant exposed customer data and internal systems

Source: TechCrunch

Incident Overview

Security researcher Eaton Zveare discovered insecure “super admin” application programming interfaces (APIs) on DavaIndia’s website. The flaw let anyone create super‑admin accounts with high privileges. Zveare reported the issue privately to Indian cybersecurity authorities and later disclosed his findings in a public post here.

Scope and Impact

• The vulnerable admin interfaces were live since late 2024.
• Approximately 17,000 online orders from 883 stores were exposed.
• Exposed data included customers’ names, phone numbers, email IDs, mailing addresses, total amount paid, and the specific products purchased.
• With super‑admin access, an attacker could:
  • View and download order records.
  • Modify product listings, prices, and discount coupons.
  • Change prescription‑requirement settings for medicines.
  • Edit website content, potentially enabling defacement or disruption.

Pharmacy order data is especially sensitive because it can reveal health conditions, medication regimens, or other private purchases, raising heightened privacy and patient‑safety concerns.

Vulnerability Details

The flaw stemmed from insecure admin interfaces that did not require authentication before allowing the creation of super‑admin accounts. This design error granted attackers unrestricted control over:

• Order databases.
• Product and pricing configurations.
• Prescription‑validation rules.
• Promotional mechanisms (e.g., discount coupons).

Response and Mitigation

• Zveare reported the vulnerability to CERT‑In, India’s national cyber emergency response agency, in August 2025.
• The bug was patched within weeks, though the company’s formal confirmation arrived only in late November 2025.
• No evidence was found that the flaw had been exploited before the patch.

Company Background

Zota Healthcare, headquartered in Gujarat, operates a large network of DavaIndia retail outlets across India. Recent expansion highlights include:

• Over 2,300 DavaIndia stores nationwide.
• An addition of 276 new outlets announced in January 2026 source.
• Plans to open 1,200–1,500 more stores over the next two years source.

References

• Eaton Zveare’s disclosure post: https://eaton-works.com/2026/02/13/dava-india-hack/
• Business Standard article on new outlets: https://www.business-standard.com/markets/capital-market-news/zota-health-care-gains-after-adding-276-davaindia-stores-in-q3-fy26-126010200369_1.html
• MSN report on future expansion: https://www.msn.com/en-in/lifestyle/pets-animals/zota-health-care-to-pump-rs-350-crore-into-dawa-india-plans-1-500-stores-in-two-years/ar-AA1SOVYR?apiversion=v2&domshim=1&noservercache=1&noservertelemetry=1&batchservertelemetry=1&renderwebcomponents=1&wcseo=1