Allium UPI

Allium UPI operates as an Estonian pharmacy and retail service provider, offering support services to affiliated pharmacies and retail stores. Its core activities include managing loyalty cardholder databases and processing purchase information for non‑prescription products. The organisation serves customers across Estonia by handling personal identification data, contact details, and transaction histories linked to pharmacy and retail purchases. It functions as a backend service provider that enables its affiliates to run loyalty programmes and track consumer behaviour. The scope of its operations is tied to the pharmacy and retail sector, focusing on data management rather than the dispensing of medication.

The cyberattack disclosed in January 2024 revealed that Allium UPI’s systems held personal data for approximately 700,000 individuals, a figure that corresponds to nearly half of Estonia’s population, indicating a substantial customer reach. The compromised backup database contained records of 43 million non‑prescription purchases, highlighting the volume of transaction data the organisation processes. Authorities noted that the breach unfolded within minutes and criticised the company’s insufficient data‑protection measures, underscoring a gap in its cybersecurity posture relative to regulatory expectations. While the incident exposed personal identifiers and contact information, prescription medication data and passwords remained unaffected, showing a delineation in the types of data stored. No explicit information about ownership, parent‑company relationships, or subsidiary structure is provided in the available sources.