Security Breach at DavaIndia Pharmacy Exposes Customer Data
A recent security lapse at one of India’s leading pharmacy chains, DavaIndia Pharmacy, has raised concerns after outsiders gained full administrative control of the platform. This breach allowed access to sensitive customer order data and drug-control functions, highlighting the importance of robust cybersecurity measures in the healthcare industry.
Security researcher Eaton Zveare discovered the vulnerability, which stemmed from insecure “super admin” APIs on DavaIndia’s website. After privately sharing details with Indian cybersecurity authorities, the issue was promptly addressed and fixed. Zveare’s findings were later disclosed on his blog.
Impact on Zota Healthcare’s Expansion Plans
Zota Healthcare, the parent company of DavaIndia Pharmacy, has been rapidly expanding its retail business, with plans to open thousands of new stores in the coming years. However, this security incident has raised questions about the company’s data protection measures and the potential risks associated with such rapid growth.
The vulnerability allowed unauthorized users to create “super admin” accounts, granting them extensive control over the platform. This access could be used to view customer orders, modify product listings, create discounts, and change prescription requirements for certain medications.
According to Zveare, the vulnerable interfaces had been live since late 2024, exposing thousands of online orders and administrative controls across hundreds of stores. This breach not only jeopardized customer privacy but also posed risks to patient safety and data security.
Addressing the Issue and Ensuring Data Privacy
Zveare reported the security flaw to CERT-In, India’s national cyber emergency response agency, in August 2025. While the vulnerability was promptly fixed, concerns remain about the potential impact on customer trust and the need for stronger cybersecurity protocols in the healthcare sector.
Customer information linked to online orders, including names, contact details, addresses, and purchase history, could be considered sensitive and private. The exposure of such data underscores the importance of safeguarding patient information and implementing robust security measures to prevent unauthorized access.
Sujit Paul, CEO of Zota Healthcare, has yet to respond to inquiries about the incident. However, there is no evidence to suggest that the breach was exploited before being addressed.
As the healthcare industry continues to digitize and expand its online presence, ensuring data privacy and security must be a top priority for organizations like Zota Healthcare. By learning from incidents like this and strengthening cybersecurity measures, companies can better protect customer data and uphold their commitment to privacy and trust.