Indian pharmacy chain giant exposed customer data and internal systems

A security flaw in DavaIndia Pharmacy, part of Zota Healthcare, exposed sensitive customer data and internal systems, allowing unauthorized access for nearly 17,000 orders. The vulnerability, linked to insecure admin interfaces, was reported to cybersecurity authorities and fixed within weeks. DavaIndia plans rapid expansion, raising privacy concerns over customer data in the pharmacy sector.

Key Points

• 1. Security lapse: DavaIndia Pharmacy's system allowed unauthorized access due to insecure 'super admin' APIs.
• 2. Data exposure: Nearly 17,000 online orders and sensitive administrative controls across 883 stores were exposed.
• 3. Vulnerability discovery: Researcher Eaton Zveare reported the issue to Indian cybersecurity authorities in August 2025.
• 4. Potential risks: Exposed data included personal customer information tied to their health-related purchases, heightening privacy concerns.
• 5. Company operations: DavaIndia is rapidly scaling, with plans to open 1,200 to 1,500 new outlets over the next two years.

Relevance

• 1. Cybersecurity breaches in healthcare are increasingly severe due to the sensitive nature of health-related data.
• 2. The incident mirrors broader trends in IT where companies face pressure to quickly scale operations without sufficient cybersecurity measures.
• 3. Regulatory scrutiny over data protection is intensifying globally, especially in healthcare, similar to HIPAA in the U.S.

The exposure of data at DavaIndia Pharmacy underscores the critical need for secure practices in rapidly expanding tech-driven healthcare sectors, reflecting the evolving risks in handling personal health information.