Apotheka data leak concerned hundreds of thousands of customers

Apotheka data leak concerned hundreds of thousands of customers.
Apotheka data leak concerned hundreds of thousands of customers. Photo: Mihkel Maripuu

The Estonian Central Criminal Police, the Office of the Prosecutor General, the Data Protection Inspectorate and the Information System Authority (RIA) announced in a joint statement on Thursday morning that the Apotheka customer data leak concerned hundreds of thousands of people.

Allium UPI, a company engaged in pharmacy and hospital goods, reported in February that the loyalty card system managed by them had been illegally accessed and customers' personal codes, purchase data and contact data had been downloaded. The circumstances will be clarified in the course of the initiated criminal proceedings and supervision proceedings.

It has been established in the criminal proceedings so far that nearly 700,000 personal identification codes, over 400,000 e-mail addresses, nearly 60,000 home addresses and about 30,000 phone numbers of Apotheka, Apotheka Beauty and PetCity loyalty card holders were illegally downloaded from the Allium UPI database. It is also possible to identify purchased over-the-counter drugs and other pharmacy products between 2014 and 2020, but not purchased prescription drugs. People whose data was illegally downloaded will be personally notified by Allium UPI via e-mail.

Ago Ambur, head of the cyber crime bureau of the Central Criminal Police, said that the goal of the police is to determine who is behind this crime.

«Since the discovery of the crime, the police have been working closely with various countries to identify the criminal while the trail is still hot. As far as the police know, the leaked data has not been used for criminal purposes at the moment. However, cyber crime is very international and other crooks also skillfully exploit such leaks. Therefore, please be careful if you are contacted by anyone other than Allium UPI regarding this data breach, as scammers may try to take advantage of the current situation to defraud people of money and data. Allium UPI will notify everyone whose data was downloaded about the incident, but will not ask people for additional data,» Ambur added.

State Prosecutor Vahur Verte said that cybercriminals are deliberately working to gain access to more sensitive data.

«People are increasingly required to trust their personal data to service providers, because digital management and data storage is more efficient and convenient than paperwork. Therefore, people trust that service providers are also committed to protecting their data. This trust is easy to lose but hard to regain. Companies that process people's health data or other sensitive data must take a particularly responsible approach to cyber security,» he added.

According to Pille Lehis, director general of the Data Protection Inspectorate, this is yet another case that shows that data protection is secondary for companies.

«Companies and institutions must seriously consider whether and how to increase investments for ensuring security. The damage of such a case is not only material, but reputational damage that undermines trust. We ask people to be critical about sharing their personal data, including for customer accounts based on this incident. Consent given at one point can be withdrawn at any moment, but already collected data cannot be permanently deleted. As people, we also need to be interested in what data is known about us, for what purpose it is collected and who has access to it. Data has become our most important and valuable currency as individuals. Please trade with them responsibly, because the value of this currency is increasing every day,» she said.

Veikko Raasuke, head of the CERT-EE incident response department of RIA, said that a cyber attack against a company or institution with serious consequences often begins with the takeover of an employee's user account.

«In order to learn the username and password, criminals can use, for example, malware that an employee downloads to their computer with an infected e-mail attachment or pirated software from a suspicious source. In order to prevent criminals from immediately entering the system with an employee's leaked password, two-step authentication should definitely be used. Also, only those information systems and services for which it is absolutely necessary should be accessible from the internet, and all of them should also be placed behind a VPN or other security solution. Unfortunately, CERT-EE's automatic monitoring data shows that Estonia still has, for example, more than 1,000 remote desktops freely accessible from the internet,» he said.

Criminal proceedings were initiated under the section of the Penal Code dealing with the illegal obtaining of access to computer systems. The criminal proceedings are being carried out by the cyber crime bureau of the Central Criminal Police and led by the Office of the Prosecutor General. The supervisory proceedings are being carried out by the Data Protection Inspectorate.

People whose data was leaked are asked to contact Allium UPI and the companies of its uniform customer loyalty program -- Apotheka, Apotheka Beauty or PetCity -- directly with questions.