Over 700k Estonian Apotheka pharmacy users exposed in attack on IT vendor
Learn More
The personal data of approximately 700,000 customers of the Apotheka pharmacy chain, as well as patrons of Apotheka Beauty outlets and Pet City stores, is reported to have been compromised.
This breach, executed through an IT system managed by Allium UPI, a company specializing in pharmacy and hospital products, exposed a vast array of personal information including:
- personal ID codes,
- contact details,
- information on purchases made between the years 2014 and 2020,
The data was stolen from a backup database rather than current operational data. This database was part of Allium UPI's loyalty card program, affecting nearly half of Estonia's population.
The stolen data includes over 400,000 email addresses, approximately 60,000 home addresses, around 30,000 phone numbers, and details of 43 million transactions involving non-prescription drugs and other pharmacy items.
Per information from Allium UPI data related to prescription medications, passwords, and banking details were not accessed during the breach.
No details are disclosed about the nature of the breach.
Allium UPI is reaching out to each impacted individual via email to provide more detailed information regarding the compromised data specific to each customer.
Update - as of 28th of May 2025, Estonian authorities have issued an international arrest warrant for a Moroccan citizen suspected of orchestrating the data breach, which compromised sensitive customer information from nearly 700,000 pharmacy loyalty program members. The 25-year-old Moroccan citizen Adrar Khalid is suspected of illegally downloading data from the Allium UPI database, in February 2024.
