Major Indian Pharmacy Chain’s Data Breach Exposes Sensitive Customer Information
In a significant cybersecurity incident, DavaIndia Pharmacy, a leading pharmacy chain in India and a subsidiary of Zota Healthcare, inadvertently exposed sensitive customer data and internal systems due to a security vulnerability. This breach granted unauthorized individuals full administrative access to the company’s platform, compromising thousands of customer orders and critical drug-control functions.
Discovery of the Vulnerability
The flaw was identified by security researcher Eaton Zveare, who discovered insecure super admin application programming interfaces (APIs) on DavaIndia’s website. These vulnerabilities allowed unauthenticated users to create high-privilege accounts, providing them with extensive control over the platform. Zveare promptly reported his findings to India’s national cyber emergency response agency, CERT-In, in August 2025. The company addressed the issue within weeks, with official confirmation provided to the authorities in late November.
Extent of the Exposure
The security lapse exposed nearly 17,000 online orders and administrative controls across 883 stores. Unauthorized access could have enabled attackers to:
– View detailed customer information, including names, phone numbers, email addresses, mailing addresses, total amounts paid, and purchased products.
– Modify product listings and prices.
– Create discount coupons.
– Alter settings determining whether certain medications required a prescription.
Given the sensitive nature of pharmacy data, such exposure poses significant privacy and patient safety risks. Information about an individual’s health conditions and medications is highly confidential, and unauthorized access could lead to misuse or public disclosure of personal health information.
Company’s Response and Future Implications
Despite the severity of the breach, there is no evidence to suggest that the vulnerability was exploited before it was patched. However, the incident underscores the critical importance of robust cybersecurity measures, especially in sectors handling sensitive personal data.
Zota Healthcare, headquartered in Gujarat, operates over 2,300 DavaIndia stores across India, with plans to expand by adding another 1,200 to 1,500 outlets over the next two years. This rapid growth necessitates a parallel emphasis on strengthening cybersecurity protocols to prevent future breaches.
Broader Context of Data Breaches in India’s Healthcare Sector
This incident is part of a concerning trend of data breaches within India’s healthcare industry. In October 2024, Star Health and Allied Insurance confirmed a cyberattack that resulted in unauthorized access to customer health records and other sensitive data. Similarly, in June 2023, the ransomware group LockBit claimed responsibility for an attack on Granules India, a major pharmaceutical company, compromising significant amounts of data.
These breaches highlight the urgent need for enhanced cybersecurity measures across the healthcare sector to protect sensitive patient information and maintain public trust.
Conclusion
The DavaIndia Pharmacy data breach serves as a stark reminder of the vulnerabilities present in digital systems handling sensitive health information. As the healthcare industry continues to digitize and expand, implementing stringent cybersecurity protocols is imperative to safeguard patient data and uphold the integrity of healthcare services.
