Allium UPI, a company operating in Estonia and dealing with pharmacy and hospital products, experienced a significant data breach affecting nearly half of Estonian citizens and residents. The breach involved unauthorized access to the IT system that manages data for loyalty card holders across various associated stores, including the Apotheka pharmacy chain, Apotheka Beauty outlets, and Pet City stores. Discovered through a phishing attack, the breach compromised personal ID codes, purchase information, and contact details, including over 400,000 email addresses, around 60,000 home addresses, and approximately 30,000 phone numbers.
Following the breach, Allium UPI initiated a comprehensive response to mitigate the impact on affected individuals. Starting on a Thursday, the company began emailing each individual whose data had been downloaded illegally, providing specific information about the compromised data. Additionally, the company reassured the public that sensitive data such as passwords, banking details, or information concerning prescription medicines were not stored in the compromised databases, hence were not accessed during the breach.
To address the data breach, Allium UPI implemented additional security measures to strengthen the protection of customer data. The company also assured that client data is securely stored and that robust measures are in place to prevent such incidents in the future. However, the leaked data has not been used for criminal purposes to date, although there is a potential risk of exploitation by fraudsters unrelated to the hack.
The incident has prompted international police cooperation and a heightened focus on cybersecurity across businesses in Estonia. The Central Criminal Police and other regulatory bodies are actively investigating the breach, with a focus on enhancing data protection protocols and raising awareness about the importance of securing sensitive information. This breach serves as a critical reminder of the vulnerabilities that exist in digital data storage and the continuous need for vigilance in data protection practices.
