India’s largest pharmacy chain, Dava India, recently faced a significant data breach, revealing critical customer information and internal system vulnerabilities. Discovered by Eaton-Works, the breach was due to insecure ‘super admin’ APIs, posing serious security risks.
Security Flaw Details
The breach allowed unauthorized creation of a super admin account, providing full access to the pharmacy’s backend systems. Eaton-Works identified the issue, highlighting the lack of proper authentication checks in the backend APIs, which facilitated administrative control over the system.
Dava India, operating over 2,100 outlets nationwide, prides itself on being the largest private generic pharmacy retail chain. The company also manages an online platform and mobile app for purchasing medicines. However, the discovered vulnerability exposed sensitive elements of their online operations.
Extent of Data Exposure
According to Eaton-Works, the breach could have potentially exposed data from approximately 17,000 customer orders across 883 stores. The super admin access also allowed modification or deletion of over 1,500 products, price alterations, removal of prescription requirements, and creation of ‘100% off’ coupons.
The control extended to website display features, including sponsored content and embedded videos, raising concerns about potential content manipulation. This vulnerability highlighted the risks associated with inadequate API security, particularly in sectors like healthcare and retail where sensitive data is involved.
Response and Resolution
The vulnerability was reported to India’s Computer Emergency Response Team (CERT-IN) on August 20, 2025. Dava India addressed the flaw approximately a month later, although official confirmation came only in late November 2025. Eaton-Works disclosed the details publicly on February 13, 2026, marking a significant finding in the healthcare sector.
Fortunately, Eaton-Works confirmed that no personal data was stolen, and the vulnerability was patched before any exploitation occurred. The breach impacted only online systems, leaving in-store purchases unaffected, emphasizing the importance of secure API design.
This incident underscores the critical need for robust security measures in digital platforms, especially those handling sensitive customer and operational data. As cybersecurity threats continue to evolve, businesses must prioritize strengthening their defenses to protect against potential breaches.
