A Security Lapse Exposed Customer Data and Control Functions at DavaIndia Pharmacy
The recent security breach at DavaIndia Pharmacy, a major pharmacy chain in India, has raised concerns about the protection of customer data and sensitive drug-control functions. Security researcher Eaton Zveare discovered a critical flaw that allowed outsiders to gain full administrative control of the platform, potentially compromising thousands of online orders and store settings.
Zveare identified insecure “super admin” APIs on DavaIndia’s website, which enabled unauthorized users to create powerful accounts with extensive privileges. This vulnerability could have been exploited to access customer information, modify product listings, create discount coupons, and alter prescription requirements for medications.
The issue, which has since been resolved, exposed approximately 17,000 online orders and administrative controls across 883 stores. Zveare revealed that the vulnerable interfaces had been live since late 2024, highlighting the prolonged exposure of sensitive data.
Customer privacy and safety are paramount in the healthcare industry, especially when it comes to pharmacy orders that may contain personal health information. The potential misuse of such data could have serious implications for individuals’ privacy and well-being.
Upon discovering the security lapse, Zveare promptly reported it to CERT-In, India’s national cyber emergency response agency. The vulnerability was addressed within weeks, although confirmation from DavaIndia Pharmacy was delayed until late November.
Zota Healthcare, the parent company of DavaIndia Pharmacy, has been rapidly expanding its retail presence, with plans to open more stores in the coming years. Despite the security incident, there is no evidence to suggest that the flaw was exploited prior to being patched.
Overall, the incident serves as a reminder of the importance of robust cybersecurity measures in safeguarding sensitive data and maintaining customer trust. It also underscores the need for companies to prioritize security protocols to prevent unauthorized access and potential data breaches.
