Cyber Incident Victim: Apotheka
Date:
Jan 2024
Location:
Estonia
Summary
A cyberattack targeting Allium UPI, which manages loyalty card data for an Estonian pharmacy chain, compromised personal information of approximately 700,000 individuals—nearly half the country's population. Exfiltrated data included names, personal identification codes, email addresses, phone numbers, home addresses, and historical purchase details of non-prescription medications and pharmacy goods spanning several years, though prescription records and passwords remained secure. The breach originated from unauthorized access to a backup database via compromised employee credentials, with investigators noting insufficient data protection measures and rapid exfiltration. International law enforcement agencies are pursuing the perpetrators, while regulatory authorities highlighted systemic negligence toward cybersecurity in handling sensitive health-related customer information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2024, Allium UPI, a service provider for the Apotheka pharmacy chain, Apotheka Beauty outlets, and Pet City stores in Estonia, Latvia, and Lithuania, disclosed a significant data breach affecting approximately 700,000 individuals—nearly half of Estonia’s population. The incident involved unauthorized access to a backup database containing customer loyalty program information from 2014 to 2020, which was not linked to real-time systems. Cybercriminals exfiltrated personal identification numbers, email addresses, phone numbers, physical addresses, and purchase histories of non-prescription items such as over-the-counter medications and bandages. A total of 43 million purchase records were compromised, alongside over 400,000 email addresses, nearly 60,000 home addresses, and approximately 30,000 phone numbers. Data related to prescription medications, passwords, and financial details remained unaffected, as these were not stored in the loyalty card system. The breach was detected by Allium UPI, which promptly notified Estonia’s Central Criminal Police, the Information System Authority (RIA), and the Data Protection Inspectorate (AKI) in mid-February 2024. A criminal investigation was initiated under Estonia’s Penal Code provisions for illegal computer system access, with international law enforcement collaboration.
Starting January 1, 2024, Allium UPI began notifying affected customers via email, detailing the specific data exposed for each individual and emphasizing that the company would not request additional information to avoid phishing risks. The company implemented enhanced security measures for customer data storage and apologized for the incident. Police confirmed no evidence of the stolen data being actively exploited for criminal purposes but warned the public to remain vigilant against potential fraud attempts unrelated to the attackers. Investigators determined the breach occurred within minutes, indicating insufficient safeguards for personal data at Allium UPI. The AKI launched a parallel supervisory procedure, criticizing businesses for treating data protection as a secondary concern. RIA’s incident response team (CERT-EE) highlighted the absence of two-factor authentication and over 1,000 inadequately secured remote desktop systems in Estonia as contributing vulnerabilities. The incident followed a late-2023 ransomware attack on another Estonian health data firm, Asper Biogene, underscoring recurring cybersecurity challenges in the sector. Allium UPI’s parent company, Magnum Pharma, faced scrutiny due to the scale of the breach, though no further technical or operational specifics were disclosed during the ongoing investigation.