By Titik Puspa 
A significant security vulnerability within DavaIndia Pharmacy, the expansive pharmaceutical retail arm of Zota Healthcare, has granted unauthorized external entities complete administrative control over its digital platform. This breach, exclusively revealed by TechCrunch, has jeopardized the privacy of countless customers by exposing sensitive order data and compromising critical drug-control functionalities. The gravity of this lapse is amplified by DavaIndia’s rapid expansion and its crucial role in the Indian healthcare ecosystem.
The discovery of this critical flaw was made by independent security researcher Eaton Zveare. Zveare stumbled upon the vulnerability while investigating insecure "super admin" application programming interfaces (APIs) present on DavaIndia’s public-facing website. Demonstrating a commitment to responsible disclosure, Zveare immediately shared the detailed findings with Indian cybersecurity authorities, including CERT-In, India’s national cyber emergency response agency. While the vulnerability has since been rectified, Zveare has publicly documented his findings on his personal website, providing a transparent account of the incident.
Zota Healthcare, the parent company, is currently in a phase of aggressive growth for its DavaIndia Pharmacy network. Headquartered in Gujarat, the company boasts an extensive footprint with over 2,300 DavaIndia outlets spread across India. This expansion is not slowing down; in January of this year, the company announced the addition of 276 new stores, and further ambitious plans are in motion to establish an additional 1,200 to 1,500 outlets within the next two years. This rapid scaling underscores the importance of robust security infrastructure, making the exposed vulnerability all the more concerning.
According to Zveare’s detailed account to TechCrunch, the security loophole originated from inadequately secured administrative interfaces. These interfaces, he explained, allowed unauthenticated users to create "super admin" accounts, bestowing upon them the highest level of privileges within the DavaIndia platform. Such unfettered access could have had devastating consequences, enabling malicious actors to not only view thousands of customer orders but also to manipulate product listings, alter pricing, generate fraudulent discount coupons, and, most alarmingly, modify the settings that dictate whether certain medications require a prescription.
The timeline of the breach is particularly troubling. System timestamps analyzed by Zveare suggest that these vulnerable administrative interfaces were operational and accessible since late 2024. During this period, the exposed administrative controls encompassed a staggering 883 stores and potentially affected nearly 17,000 online orders. The ability to alter product pricing and prescription requirements could have led to widespread consumer deception and the potential for misdispensing of crucial medications. Furthermore, the attacker’s capacity to edit website content opened the door for defacement attacks or outright disruption of services, impacting patient access to essential medicines and healthcare information.
The nature of pharmacy order data makes its exposure particularly sensitive. Unlike general e-commerce transactions, pharmaceutical purchases can directly reveal an individual’s health conditions, ongoing treatments, and specific medical needs. This information is inherently private and, in many cases, deeply personal. The potential for this data to be misused, even without direct evidence of such exploitation in this specific incident, carries heightened privacy and patient-safety risks. Zveare emphasized this point, stating, "Customer information was linked to their orders. This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and the products purchased. Since this is a pharmacy, the products being purchased could be considered private and even embarrassing for some people." The implication is that this data could be used for targeted marketing of sensitive products, or worse, for blackmail or discrimination based on health status.
Zveare’s proactive approach to reporting the vulnerability to CERT-In in August 2025 highlights the critical role of independent security researchers in safeguarding digital infrastructure. CERT-In, tasked with preventing and responding to cyber incidents, initiated an investigation, and the vulnerability was reportedly patched within weeks of Zveare’s notification. However, the official confirmation from Zota Healthcare regarding the fix took longer, with authorities receiving the confirmation in late November of the same year. This delay in formal confirmation could have left the system vulnerable for an extended period.
Efforts by TechCrunch to obtain a statement from Sujit Paul, the chief executive of Zota Healthcare, were unsuccessful, as he did not respond to emails sent last month. Despite the lack of direct evidence of exploitation, the mere existence of such a profound security gap at a prominent pharmacy chain raises serious questions about Zota Healthcare’s cybersecurity practices and its commitment to protecting customer data, especially as it aggressively expands its retail footprint.
The incident serves as a stark reminder of the evolving threat landscape and the critical need for continuous security assessments and robust data protection measures in the healthcare sector. Pharmacies, by their very nature, handle some of the most sensitive personal information. Any compromise of this data can have far-reaching implications for patient trust, privacy, and even physical well-being. The rapid digital transformation within the healthcare industry, while offering convenience and efficiency, simultaneously introduces new avenues for cyberattacks.
The scale of DavaIndia’s operations means that a successful exploitation of this vulnerability could have impacted a significant portion of the Indian population relying on their services. The ability for an attacker to control prescription requirements is particularly alarming, as it could have led to the dispensing of medications without proper medical oversight, potentially endangering lives. The exposure of order history, detailing specific medications purchased, could also be exploited for illicit purposes, such as the black market sale of prescription drugs or the targeting of individuals with specific health conditions.
The researcher’s detailed technical explanation of insecure APIs and the ease with which "super admin" privileges could be obtained points to a fundamental oversight in the development and deployment of the DavaIndia platform. Insecure API management is a known vulnerability vector, and organizations often underestimate the potential for unauthorized access through these programmatic interfaces. The fact that these interfaces were exposed on a public-facing website suggests a lack of stringent access controls and security testing protocols.
The aftermath of this incident will likely see increased scrutiny on Zota Healthcare and potentially other pharmacy chains operating in India. Regulatory bodies may be prompted to review and strengthen cybersecurity guidelines for the pharmaceutical sector. Consumers, too, will likely become more aware of the risks associated with sharing personal health information online and may demand greater transparency and assurance from their healthcare providers regarding data security.
The fixed nature of the bug and the lack of evidence of exploitation are positive signs, but the incident itself is a critical wake-up call. As Zota Healthcare continues its ambitious expansion, it must prioritize integrating robust cybersecurity measures into its growth strategy. This includes regular security audits, penetration testing, secure coding practices, and comprehensive employee training on data privacy and security protocols. The trust placed in a pharmacy chain to handle sensitive health information is paramount, and incidents like this can erode that trust rapidly.
The story of the DavaIndia Pharmacy breach, as uncovered by Eaton Zveare and reported by TechCrunch, underscores the persistent challenges in securing digital infrastructure, particularly in rapidly growing sectors. The potential for devastating consequences, ranging from privacy violations to direct threats to public health, necessitates a proactive and vigilant approach to cybersecurity. The Indian cybersecurity authorities’ swift action in addressing the vulnerability is commendable, but it also highlights the ongoing need for collaboration between researchers, government agencies, and private companies to build a more resilient digital future. The lessons learned from this incident must be embedded into the operational DNA of all organizations handling sensitive data, ensuring that convenience and growth do not come at the expense of fundamental security and privacy.
The author of this report, Jagmeet Singh, is a seasoned journalist specializing in startups, tech policy, and major tech developments from India. His previous experience as a principal correspondent at NDTV, coupled with his direct contact information for verification, ensures the credibility and accuracy of his reporting. His dedication to uncovering and disseminating critical information about the technology landscape, particularly within the Indian context, is evident in his thorough investigation of this significant security lapse.