Data Leaks at Indian Pharmacy Giant Expose Thousands of Customer Records

A significant security vulnerability at one of India’s largest pharmaceutical retailers has exposed sensitive customer and operational data to potential unauthorized access. The incident involving DavaIndia Pharmacy, operated by Zota Healthcare, reveals how rapid business expansion can sometimes overshadow critical cybersecurity measures. TechCrunch’s investigation uncovered that the Indian pharmacy network left its administrative systems virtually unprotected, allowing anyone with basic technical knowledge to gain full control over customer information and store operations.

How Unsecured Admin Access Left Customer Data Vulnerable

Security researcher Eaton Zveare discovered that DavaIndia’s platform contained poorly secured “super admin” APIs that required no authentication to access. This critical flaw meant that any individual could create high-level administrator accounts and gain unrestricted access to the pharmacy’s entire operation. Once inside, a malicious actor could manipulate nearly every aspect of the business.

The scope of potential damage was extensive. Attackers could have accessed thousands of customer orders containing personal health information, modified product pricing and availability, generated fraudulent promotional codes, and most dangerously, altered prescription requirements for medications—potentially enabling the sale of restricted drugs without proper verification. The vulnerable administrative interfaces had been accessible since late 2024, leaving the system exposed for several months.

During this exposure period, approximately 17,000 online orders and administrative controls for 883 pharmacy locations across India remained compromised. This meant prescription rules, pricing structures, and promotional offers could have been modified without detection or authorization.

Indian Pharmacy Chain’s Growth Outpaced Security Measures

DavaIndia’s parent company, Zota Healthcare, has been experiencing rapid expansion while this vulnerability remained unaddressed. Based in Gujarat, the company currently operates more than 2,300 pharmacy outlets nationwide. The company recently launched 276 new locations in early 2025 and has aggressive plans to open an additional 1,200 to 1,500 stores over the next two years.

This growth trajectory highlights a common pattern in rapidly scaling companies: infrastructure expansion sometimes occurs faster than security protocols can be properly implemented and maintained.

The Sensitive Nature of Pharmacy Data Leaks

Customer pharmacy records represent some of the most private information available online. Unlike other retail transactions, medication purchases can reveal detailed health conditions, mental health treatments, chronic disease management, and other deeply personal medical information. The Indian leaks incident exposed exactly this type of data.

According to Zveare’s analysis, the compromised order data included customer names, phone numbers, email addresses, mailing addresses, payment amounts, and itemized purchase records. “This information could be highly personal or even embarrassing for some individuals,” Zveare explained, noting that pharmacy products often indicate sensitive health conditions that users prefer to keep confidential.

Discovery and Resolution of the Indian Pharmacy Incident

Zveare privately reported his findings to Indian cybersecurity officials and CERT-In (India’s national cybersecurity response team) in mid-2025. The vulnerability was resolved within weeks of the initial report. However, official confirmation from DavaIndia was only provided to authorities by year-end, according to Zveare’s timeline.

TechCrunch attempted to reach Sujit Paul, CEO of Zota Healthcare, for comment but did not receive a response. Zveare confirmed that there is currently no evidence the security flaw was exploited maliciously before it was fixed, though the mere existence of the vulnerability represents a significant breach of customer trust.

This incident underscores the critical importance of security assessments during periods of rapid growth, and the need for companies—especially those handling sensitive pharmacy and healthcare data—to maintain robust authentication protocols and regular security audits.