Major Data Breach at Indian Pharmacy Chain Exposes Customer Orders and Critical System Controls

14.02.2026
Major Data Breach at Indian Pharmacy Chain Exposes Customer Orders and Critical System Controls

A critical security vulnerability in one of India's largest pharmacy chains granted unauthorized users complete administrative access to the platform, exposing sensitive customer order data and prescription management systems. The incident affected DavaIndia Pharmacy, the retail pharmacy division of Zota Healthcare, which operates an extensive network of pharmaceutical outlets throughout India.

Security researcher Eaton Zveare identified the vulnerability after discovering insecure super administrator application programming interfaces (APIs) on DavaIndia's web platform. The researcher promptly disclosed the findings to Indian cybersecurity authorities through proper channels. The vulnerability has since been remediated, and Zveare has published a detailed technical disclosure of his findings.

The security incident occurred during a period of aggressive expansion for Zota Healthcare's DavaIndia Pharmacy operations. The Gujarat-based organization currently maintains over 2,300 retail locations across India, with 276 new stores launched in January alone. The company has announced plans to deploy an additional 1,200 to 1,500 locations over the next 24 months.

Technical Analysis of the Vulnerability

According to Zveare's investigation, the security flaw originated from inadequately secured administrative interfaces that permitted unauthenticated users to provision super administrator accounts with elevated privileges. An attacker exploiting this vulnerability could:

• Access and view thousands of customer orders containing personally identifiable information (PII)
• Modify product catalog entries and pricing structures
• Generate unauthorized discount vouchers and promotional codes
• Alter prescription requirement flags for controlled substances
• Manipulate website content and configuration settings

System timestamp analysis indicated the vulnerable administrative endpoints had been exposed since late 2024. The compromised access encompassed approximately 17,000 online orders and administrative controls for 883 retail locations, enabling unauthorized modifications to pricing, prescription validation rules, and promotional mechanisms.

Data Privacy and Healthcare Security Implications

Pharmaceutical transaction data represents a particularly sensitive category of personal information, as it may reveal details about an individual's medical conditions, prescribed treatments, and other confidential healthcare-related purchases. The exposure of such data, regardless of whether exploitation occurred, presents significant privacy concerns and potential patient safety risks that exceed those associated with conventional e-commerce data breaches.

"Customer information was linked to their orders," Zveare explained. "This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and the products purchased. Since this is a pharmacy, the products being purchased could be considered private and even embarrassing for some people."

Disclosure Timeline and Remediation

Zveare reported the vulnerability to CERT-In (Indian Computer Emergency Response Team), India's national cybersecurity incident response organization, in August 2025. The security flaw was patched within several weeks following the initial disclosure. However, formal confirmation from Zota Healthcare was not received by cybersecurity authorities until late November.

Sujit Paul, Chief Executive Officer of Zota Healthcare, did not respond to multiple email inquiries regarding the incident. The researcher emphasized that forensic analysis revealed no evidence suggesting the vulnerability had been actively exploited by malicious actors prior to remediation.

Sources:
Security researcher's disclosure - Eaton Works
Zota Health Care expansion announcement - Business Standard
DavaIndia expansion plans - MSN

Tags: data breach API vulnerability India healthcare security pharmacy
Share: VK Telegram Twitter
🔔 Stay tuned and subscribe →
Telegram
Previous Next
32 views

Related news

Instagram Denies Data Breach Affecting 17 Million Accounts Despite Leaked Database
Instagram Denies Data Breach Affecting 17 Million Accounts Despite Leaked Database

15.01.2026

Indian AI Startup Sarvam Launches Indus Chat App Powered by 105B Parameter LLM
Indian AI Startup Sarvam Launches Indus Chat App Powered by 105B Parameter LLM

21.02.2026

OpenAI Integrates AI-Powered Reasoning into Pine Labs' Fintech Infrastructure to Accelerate Commerce Automation in India
OpenAI Integrates AI-Powered Reasoning into Pine Labs' Fintech Infrastructure to Accelerate Commerce Automation in India

19.02.2026

India Targets $200B AI Infrastructure Investment by 2028 to Become Global Computing Hub
India Targets $200B AI Infrastructure Investment by 2028 to Become Global Computing Hub

17.02.2026

Popular today
  1. 1
    OpenAI Introduces Frontier: Enterprise-Grade AI Agent Management Platform 262 views
  2. 2
    OpenAI Dissolves Mission Alignment Team Amid Organizational Restructuring 120 views
  3. 3
    Critical Data Breach: Openclaw Bot Exposes User Credentials Through Unprotected... 119 views
  4. 4
    Xiaomi Launches Smart AI-Powered Head Massage Comb with Heating and Personalized... 117 views
  5. 5
    Apeiron Labs Secures $9.5M Series A to Deploy Fleet of Autonomous Underwater Veh... 106 views
More from category "Cybersecurity"
Our projects
FontDetector Pro
FontDetector Pro
FontDetector Pro is a handy tool for finding, comp...
N8N Master
N8N Master
Supercharge Your n8n Experience with n8n Master –...
Back to news