Indian pharmacy chain giant exposed customer data and internal systems

A security flaw at one of India's largest pharmacy chains briefly left the company's online platform vulnerable, allowing outsiders to gain full administrative access and potentially access customer order information and sensitive drug-control settings.

The incident involved DavaIndia Pharmacy, the pharmacy business operated by Zota Healthcare, which runs a sprawling network of retail outlets across India. Security researcher Eaton Zveare said he found the weakness after spotting insecure "super admin" application programming interfaces (APIs) on DavaIndia's website. He said he privately shared the technical details with Indian cybersecurity authorities before later disclosing his findings publicly.

The vulnerability has since been fixed, according to Zveare, and the platform is no longer exposed in the same way.

The discovery comes at a time when Zota Healthcare has been rapidly expanding DavaIndia's retail footprint. The Gujarat-based company operates more than 2,300 DavaIndia stores nationwide, including 276 new outlets it announced in January, and it has said it plans to add another 1,200 to 1,500 locations over the next two years.

Zveare said the problem originated from insecure administrative interfaces that allowed unauthenticated users to create "super admin" accounts with elevated privileges.

With that level of access, an attacker could have viewed thousands of online orders containing customer information, changed product listings and prices, generated discount coupons, and altered settings that determine whether certain medicines require a prescription, the researcher said.

Using timestamps in the system, Zveare said the vulnerable administrative endpoints appeared to have been accessible since late 2024. He said the exposure involved nearly 17,000 online orders and administrative controls connected to 883 stores, including the ability to change product pricing, prescription requirements, and promotional discount settings. Zveare added that the same access could have been used to edit website content, creating a risk of defacement or disruption.

Pharmacy order information can be especially sensitive because it may reveal details about health conditions, medications, or other private purchases. Even without confirmed misuse, exposure of this type of data can heighten privacy concerns and patient safety risks compared with many other categories of consumer data.

"Customer information was linked to their orders," Zveare said. "This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and the products purchased. Since this is a pharmacy, the products being purchased could be considered private and even embarrassing for some people."

Zveare said he reported the issue to CERT-In, India's national cyber emergency response team, in August 2025. He said the underlying flaw was fixed within weeks, but the company's confirmation took longer and was ultimately provided to the cyber authorities in late November.