Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A security breach at one of India’s largest manufacturers allowed outsiders to gain access to its platform, exposing customer data and product management services, TechCrunch has learned.
The issue involved DavaIndia Pharmacy, the pharmaceutical group of Zota Healthcare, which operates a large distribution network in India. Security expert Eaton Zveare told TechCrunch that they discovered the flaw after they discovered that they were “senior administrators” running the security software on the DavaIndia website and sharing confidential information with India’s cyber security authorities.
The problem has now been fixed, and Zveare he disclosed his findings.
The exposure comes as Zota Healthcare is rapidly expanding its DavaIndia Pharmacy business. The Gujarat-headquartered company operates over 2,300 DavaIndia stores across India, including 276 new places was announced in January, and is being planned add another 1,200 to 1,500 over the next two years.
Zveare told TechCrunch that the bug stems from a vulnerable admin environment, which allows unauthorized users to create “Super admin” accounts with high privileges.
With this level, an attacker could view thousands of online orders with customer information, edit product lists and prices, create discount coupons, and customize settings that control whether certain products require prescriptions, the researcher said.
According to the time schedule of the system, Zveare said that the site at risk of management seems to have been alive since the end of 2024. The access showed about 17,000 online authorities and control authorities that take 883 stores, he said, allowing changes in prices, drug requirements, and sales discounts. Zveare said the vulnerability allows changes to be made to the website that can be used to hack or compromise.
Pharmacy order data can be sensitive, as it can reveal information about a person’s health, medications or other private purchases. The exposure of such data, even without evidence of misuse, carries greater privacy and patient safety risks than other consumer information.
“Customer information was linked to their orders,” Zveare said. This includes name, phone numbers, email IDs, addresses, total amount paid, and items purchased.
Zveare said he reported the matter to CERT-In, India’s national cyber emergency response agency, in August 2025. The threat was fixed within a few weeks, although the company’s confirmation took longer and was presented to cyber authorities at the end of November, he said.
Sujit Paul, CEO of Zota Healthcare, did not respond to emails sent by TechCrunch last month. The researcher said there was no indication that the bug was exploited before it was released.
