The Data Protection Inspectorate has fined Allium UPI OÜ, the company that manages the Apotheka loyalty program, for failing to protect customer data and using inadequate security measures.

According to the Data Protection Inspectorate, the company's negligent attitude towards its customers' data jeopardized the privacy of more than 750,000 people, including children and other vulnerable groups.

The security incident took place in early 2024 inside the Apotheka loyalty program's information system.

The investigation found that Allium UPI did not implement basic cyber hygiene and data protection measures. As a result, unauthorized persons repeatedly accessed the information system and database backup and downloaded large amounts of sensitive customer data.

The leaked files contained the personal data (first and last name, personal identification code, language, gender, e-mail address, telephone number, home address) and purchase history of individuals who joined the Apotheka customer program between 2014 and 2020.

The latter included personalized information about purchased medicines, health services, and other sensitive pharmacy products, such as pregnancy and ovulation tests, hearing aid accessories, blood pressure monitors, intimate hygiene products, and skin care products.

According to the report, basic security measures were not implemented.

Allium UPI disagrees with the decision and is appealing it in court.

"Allium UPI has not been careless with personal data or left it unprotected. The Data Protection Inspectorate's decision is based on incorrect facts, and its assessment must be reviewed by the court. We sincerely regret that a backup copy of Apotheka's customer database was stolen by a criminal. Thanks to close cooperation with Estonian and international authorities, the Moroccan criminal has been identified. According to information provided to us by the prosecutor's Office and law enforcement agencies, the data stolen a year and a half ago has not been used for criminal purposes or made available on the dark web," the company said in a press release.

"No customer passwords or bank details were collected or are being collected as part of the Apotheka customer program. The inspectorate's press release spreads misleading information about the stolen information. To give one example, of the data entries that actually fell into the hands of cybercriminals, a maximum of 0.01 percent were related to over-the-counter medicines. The purpose of the customer program is not to collect information about customers' medication or pharmacy products covered by state subsidies," the press release added.

---

Follow ERR News on Facebook and Twitter and never miss an update!