Home / Technology / India Pharmacy Data Breach: Admin Access Exposed Orders
India Pharmacy Data Breach: Admin Access Exposed Orders
14 Feb
Summary
- A security flaw allowed unauthorized admin access to sensitive data.
- Customer order data and drug prescription controls were exposed.
- The vulnerability was reported to Indian authorities and has been fixed.
A critical security vulnerability in DavaIndia Pharmacy's platform, operated by Zota Healthcare, permitted unauthorized individuals to gain complete administrative access. This breach exposed sensitive customer order details and functions related to drug prescription controls. A security researcher identified insecure application programming interfaces on the DavaIndia website, which enabled unauthenticated users to create high-privilege 'super admin' accounts.
With this elevated access, attackers could view thousands of online orders, modify product listings and pricing, and alter settings determining prescription requirements for certain medicines. The vulnerable interfaces were reportedly active since late 2024, potentially exposing nearly 17,000 orders and administrative controls for 883 stores. The researcher reported the issue to India's national cyber emergency response agency in August 2025, and the flaw was addressed within weeks.
This incident highlights significant privacy and patient-safety risks, as pharmacy order data can reveal deeply personal health information. While there is no indication of the flaw being exploited before its repair, the exposure underscores the critical need for robust cybersecurity measures, especially as Zota Healthcare continues to scale its retail pharmacy business nationwide.
