Cybercriminals steal data of around 700,000 Apotheka pharmacy customers
Personal ID codes, purchase information and contact details of almost half of Estonian citizens and residents have been compromised in a mass data breach of the IT system operated by Allium UPI, a firm dealing with pharmacy and hospital products.
Allium UPI has been managing data held by loyalty card holders who are customers of the Apotheka pharmacy chain, plus Apotheka Beauty outlets and Pet City stores, all owned by the same group.
From today, Thursday, Allium UPI is contacting via email each individual whose data has been downloaded illegally, in order to provide more specific information on the details of the data compromised in respect of each customer.
The data breach comprised information from the years 2014 to 2020, since it concerned a backup copy of a database that did not hold real-time information.
Ago Ambur, head of the cybercrime bureau at the Central Criminal Police, said the data leaked varies from person to person.
A total of over 400,000 email addresses, close to 60,000 home addresses and around 30,000 phone numbers have been illicitly obtained as a result of the hack.
Also leaked were details of a total of 43 million purchases, including non-prescription drugs and other pharmacy goods such as band-aids.
Data on prescription medicines purchased and on passwords did not fall into the cybercriminals' hands, however.
Allium UPI itself made an announcement on Thursday, saying: "The databases subject to the attack contained, in addition to clients' names, email addresses, phone numbers, personal ID codes, address details and non-prescription purchases."
"In some rare cases, some clients' purchase histories contain recorded information about over-the-counter medicines," the statement went on.
"The loyalty card program does not store passwords, banking details or information concerning prescription medicines, so the possibility of these falling into the hands of criminals is ruled out. Allium UPI OÜ cannot share further additional details with the public for the sake of the ongoing investigation," the company added.
Marika Pensa, a board member at Allium UPI, said that the company takes data protection very seriously and sincerely apologizes for any inconvenience or distress this incident may have caused people.
Pensa said: "We have implemented additional measures to strengthen the security of our customer data; client data is securely stored, and we are doing everything possible to prevent such incidents from occurring in the future."
The Central Criminal Police says the leaked data has not, to their knowledge, been used for criminal purposes, adding that such breaches of data can nonetheless be exploited by fraudsters unrelated to the actual hack.
"Consequently, we ask everyone to be vigilant should anyone other than Allium UPI contact you regarding this data breach, as fraudsters may try to exploit the current situation to try to extort money and more data from people," Ambur said.
Allium UPI itself will not be asking for additional information from customers when notifying them about the data leak, the company stressed.
International police investigation
The police cooperation is also international and not confined solely to Estonia.
In mid-February, Allium UPI informed the Central Criminal Police, the state Information System Authority (RIA) and the Data Protection Inspectorate (AKI) that their managed loyalty card system had been illegally accessed and customers' data downloaded.
"Since the detection of this crime, the police have been working closely with various states, to track down the culprits," Ambur said.
A criminal investigation was initiated under the section of the Penal Code dealing with illegal access to computer systems. The Central Criminal Police cybercrime bureau is conducting the investigation, under the direction of the Prosecutor's Office.
Investigators: Data protection a secondary concern for businesses
The time frame from system breach to illegal data download was only a few minutes, it is reported, suggesting that Allium UPI did not put enough personal data protection measures in place.
What could have been done differently is also being investigated by the AKI, in tandem and via a supervisory procedure.
AKI Director General Pille Lehis said: "This case reveals that data protection is a secondary issue for many businesses."
The AKI thus urges the public to assess things critically when sharing their personal data, including data with respect to customer accounts.
Lehis also stressed that while consent given can be withdrawn at any time, collected data can never be entirely erased.
She said: "As individuals, we must also be concerned about what data on us is known, the purpose for which it is collected and who can get access to it."
"Data has become the most important and valuable 'currency' when it comes to individuals. Please therefore share it responsibly."
Cybercriminals crave sensitive data
Veikko Raasuke, who heads up RIA's incident response department (CERT-EE), explained that a serious cyberattack against a company or institution often begins with the takeover of an employee's user account.
To obtain usernames and passwords, a cybercriminal might make use of malware that the employee unwittingly downloads onto their computer, either from a fraudulent email attachment or pirated software from a dubious source.
Raasuke said: "To bar criminals from immediately accessing the system via an employee's leaked password, two-factor authentication should definitely be used."
"Furthermore, only those IT systems and services which absolutely need to be accessible from the internet should indeed be accessed, plus all these should be placed behind a VPN or another security solution," Raasuke went on.
According to CERT-EE's own automated surveillance, there are still over 1,000 remote desktops in Estonia that can be freely accessed online.
Prosecutor Vahur Verte said cybercriminals intentionally aim to illegally access the most sensitive data they can.
This means that firms that process such sensitive data, including that relating to health, must be particularly responsible when it comes to cybersecurity.
Verte said: "People are increasingly coming to entrust service providers with their personal data, hence they place trust in these providers in earnestly protecting their data."
"This trust is easy to lose, but hard to regain," he added.
Allium UPI is, along with the Apotheka pharmacy chain and the Pet City chain of stores, a part of the Magnum pharma conglomerate.
This holding company is owned by Margus Linnamäe, a reclusive businessman who also owns the media group that publishes daily Postimees and its related titles, alongside several major companies.
Those worried about a possible breach of their data can check up on whether their email address and password have been leaked by visiting this site: https://haveibeenpwned.com/.
If the response is that data seems to have been compromised, passwords must immediately be changed by the user.
--
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Andrew Whyte