Major data leak hits 700,000 Estonians


Almost half of the population in the Baltic nation of Estonia had their personal data leaked after the system of the popular pharmacy chain Apotheca was breached.

Estonia’s law enforcement authorities have announced that the personal information of hundreds of thousands of residents was stolen during the breach of a database containing Apotheca customer data.

The breach affected loyalty card holders at Apotheca, as well as two other chain stores, Apotheca Beauty and PetCity, according to the investigators. The stolen database was operated by Allium UPI, a firm dealing with pharmacy and hospital goods.

ADVERTISEMENT

All companies are part of the Estonian pharmaceutical wholesaler Magnum, which also operates stores in Finland, Latvia, and Lithuania.

Allium UPI first reported the incident in February, when it said that the loyalty card system it managed was breached and customers’ personal codes, purchase data, and contact data were obtained by cybercriminals.

The authorities have established after the investigation that the stolen information contains nearly 700,000 personal identification codes, more than 400,000 emails, almost 60,000 home addresses, and about 30,000 phone numbers.

The leaked data also include the details of some 43 million purchases, including over-the-counter drugs. Information on prescription medicine, banking details, and passwords were not leaked, the police said.

A backup copy of a database from the years 2014 to 2020 was breached and did not contain real-time information. Allium UPI said it would personally notify clients whose data was compromised.

The police are working to track down the culprits in what the authorities said was an international investigation. The authorities said that they had no information the leaked data was used for criminal purposes.

Investigators also suggested that Allium UPI, the operator of the breached system, did not put enough security measures in place. They noted that it only took several minutes for cybercriminals to download the information after breaching the system.

“This case reveals that data protection is a secondary issue for many businesses,” Director General of Estonia’s Data Protection Inspectorate Pille Lehis said, according to the broadcaster ERR.

ADVERTISEMENT

Allium UPI said it had implemented additional security measures and “sincerely apologizes” for the incident.