India's largest pharmacy chain, DavaIndia Pharmacy, has exposed customer order data and internal systems due to a security lapse, TechCrunch has learned. The issue, which has been fixed, allowed outsiders to gain full administrative control of the platform.
DavaIndia Pharmacy is the pharmacy arm of Zota Healthcare, which operates over 2,300 retail outlets across India. The company recently announced the addition of 276 new outlets and plans to add another 1,200 to 1,500 stores over the next two years.
The security flaw was discovered by researcher Eaton Zveare, who found insecure "super admin" application programming interfaces on DavaIndia's website. The vulnerability, which was live since late 2024, exposed nearly 17,000 online orders and administrative controls spanning 883 stores.
The Vulnerability
The flaw allowed unauthenticated users to create "super admin" accounts with high privileges, giving them access to sensitive customer information, including names, phone numbers, email IDs, and mailing addresses. The vulnerability also allowed edits to website content, product pricing, and prescription requirements.
Zveare reported the issue to CERT-In, India's national cyber emergency response agency, in August 2025, and the vulnerability was fixed within weeks. However, confirmation from the company took longer and was provided to the cyber authorities in late November.
Impact and Response
The exposure of customer data and internal systems carries heightened privacy and patient-safety risks. Zveare noted that the products being purchased could be considered private and even embarrassing for some people. The company's CEO, Sujit Paul, did not respond to emails sent by TechCrunch.
The incident highlights the importance of robust security measures, particularly for companies handling sensitive customer data. As Zota Healthcare continues to expand its retail business, it must prioritize the security of its platform to protect customer information.
