Massive Data Breach at India’s Largest Pharmacy Exposes Sensitive Customer Information
In a significant cybersecurity incident, Dava India, a division of Zota Healthcare and the nation’s largest private generic pharmacy retail chain, inadvertently exposed sensitive customer data and internal system access due to insecure super admin APIs. This vulnerability, discovered by security researcher Eaton-Works, allowed unauthorized creation of privileged super admin accounts, granting full control over the pharmacy’s backend systems.
Discovery of the Vulnerability
Eaton-Works identified that Dava India’s website backend APIs lacked proper authentication checks. By interacting with these unsecured endpoints, it was possible to create a super admin user account and reset its password, thereby gaining administrative access to the entire system. This flaw exposed a wide array of sensitive information and control mechanisms within the company’s online platform.
Extent of the Exposure
The unauthorized access capabilities included:
– Customer Orders: Access to nearly 17,000 customer orders across 883 stores, revealing personal details and purchase histories.
– Product Management: Ability to edit or delete over 1,500 products, modify prices, disable prescription requirements, and generate custom coupons, including 100% off discounts.
– Website Content Control: Manipulation of website display features such as sponsored content and embedded YouTube videos, raising concerns about potential content tampering.
Essentially, an attacker could have altered nearly every element of the company’s online presence, posing significant risks to both the business and its customers.
Response and Mitigation
The vulnerability was reported to India’s Computer Emergency Response Team (CERT-IN) on August 20, 2025. Dava India addressed the issue approximately a month later, with formal confirmation received in late November 2025. Eaton-Works confirmed that no personal data was stolen and that the flaw was patched before any known exploitation. Notably, the vulnerability affected only the online systems; customers who made in-store purchases were not impacted.
Implications and Lessons Learned
This incident underscores the critical importance of secure API design, especially in sectors handling sensitive customer information like healthcare and retail. Insecure APIs can serve as gateways for attackers to gain unauthorized access to systems, leading to data breaches and potential manipulation of services.
Recommendations for Enhanced Security
To prevent similar incidents, organizations should consider the following measures:
1. Implement Robust Authentication and Authorization: Ensure that all API endpoints require proper authentication and authorization checks to prevent unauthorized access.
2. Conduct Regular Security Audits: Perform periodic assessments of systems and APIs to identify and remediate vulnerabilities promptly.
3. Adopt the Principle of Least Privilege: Limit user access rights to the minimum necessary for their roles to reduce the risk of unauthorized actions.
4. Monitor and Log API Activity: Maintain comprehensive logs of API interactions to detect and respond to suspicious activities swiftly.
5. Educate and Train Staff: Provide ongoing cybersecurity training to employees to raise awareness about potential threats and best practices.
Conclusion
The Dava India data breach serves as a stark reminder of the vulnerabilities that can exist within digital platforms and the potential consequences of inadequate security measures. By prioritizing robust cybersecurity practices, organizations can protect sensitive information, maintain customer trust, and ensure the integrity of their services.
