Cyber Incident Victim: Allium UPI
Date:
Jan 2024
Location:
Estonia
Summary
A cyberattack on Allium UPI, an Estonian pharmacy and retail service provider, resulted in the theft of personal data belonging to approximately 700,000 individuals—nearly half the country's population. Compromised information included personal identification codes, email addresses, phone numbers, physical addresses, and details of 43 million non-prescription purchases, though prescription medication data and passwords were unaffected. The breach involved historical records from a backup database managed for loyalty cardholders across affiliated pharmacies and stores. Law enforcement agencies, including international partners, are investigating the incident, with authorities criticizing insufficient data protection measures and noting the breach occurred within minutes. Regulatory officials emphasized that businesses often treat cybersecurity as a secondary concern, exacerbating risks to sensitive customer information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2024, Allium UPI, a provider of pharmacy and hospital supply services operating loyalty card systems for Estonia’s Apotheka pharmacies, Apotheka Beauty outlets, and Pet City stores, disclosed a major data breach affecting approximately 700,000 individuals—nearly half of Estonia’s population. The incident involved unauthorized access to a backup database containing customer information from 2014 to 2020, which was not part of real-time systems. Cybercriminals exfiltrated personal identification numbers, email addresses, phone numbers, home addresses, and records of 43 million purchases, primarily non-prescription items like over-the-counter medications and bandages. Data on prescription medicines, banking details, and passwords were not compromised, as the loyalty program did not store them. The breach was detected in mid-February 2024, when Allium UPI notified Estonia’s Central Criminal Police, the Information System Authority (RIA), and the Data Protection Inspectorate (AKI) that their system had been illegally accessed and customer data downloaded. Investigators determined the intrusion and data theft occurred within minutes, indicating inadequate security safeguards.
Authorities launched a criminal investigation under Estonia’s Penal Code for illegal computer system access, with international cooperation to identify the perpetrators. Allium UPI began notifying affected customers via email in January 2024, specifying individualized impacts while emphasizing it would not request additional information. The company stated it had implemented enhanced security measures to prevent future incidents, though specifics were withheld due to the ongoing investigation. Police confirmed no evidence of criminal misuse of the leaked data but warned of potential fraud attempts unrelated to the breach. The AKI initiated a supervisory procedure to evaluate Allium UPI’s compliance with data protection laws, with Director Pille Lehis noting the incident reflected broader negligence toward cybersecurity in businesses. RIA’s CERT-EE highlighted that the attack likely originated from compromised employee credentials and criticized exposed remote desktop interfaces, while urging two-factor authentication and VPN usage for critical systems. The breach followed a late-2023 ransomware incident affecting 10,000 Estonians’ health data, underscoring recurring vulnerabilities in handling sensitive information.