India’s Largest Pharmacy Platform Exposed Customer and Internal System Data

Related

KDDI Confirms Zero-Day Exploit Behind Breach Affecting 12 Million People

What happened KDDI has updated its earlier breach disclosure, confirming...

Aflac Japan Data Breach Impacts 4.38 Million Customers and Agents

What happened Aflac Life Insurance Japan disclosed a data breach...

Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day Attacks

What happened Nissan disclosed a data breach affecting current and...

KDDI Breach Exposes Up to 14.2 Million Email Logins at Six ISPs

What happened Japanese telecommunications operator KDDI disclosed a data breach...

Xsolis Data Breach Affects 1.4 Million Individuals

What happened Healthcare technology company Xsolis disclosed a data breach...

Share

What happened

A critical vulnerability in the online platform of Dava India, a division of Zota Healthcare, allowed attackers to create privileged super admin accounts and gain full control of backend systems. The issue, discovered by Eaton-Works, was caused by backend APIs that lacked authentication checks, enabling unauthorized users to reset admin credentials and access internal administrative functions. The exposure included customer order information, store details, and product management capabilities, affecting nearly 17,000 customer orders across 883 stores. Attackers with super admin access could also modify product listings, change pricing, disable prescription requirements, and generate promotional coupons. The vulnerability was reported to CERT-IN and later patched, and researchers confirmed no known personal data theft occurred before remediation. 

Who is affected

Customers and operations of Dava India, particularly those using its online platform and mobile app, are affected, as exposed administrative access allowed visibility into customer orders and internal system management functions. 

Why CISOs should care

The vulnerability demonstrates how insecure API authentication controls can expose sensitive customer and operational data while enabling attackers to manipulate core business systems and administrative functions. 

3 practical actions

  • Audit API authentication controls. Ensure administrative and backend endpoints enforce proper authentication and authorization checks. 
  • Review administrative account creation logs. Identify unauthorized privileged account creation or credential resets. 
  • Monitor system configuration changes. Detect unauthorized modifications to products, pricing, or system settings enabled through privileged access.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.