Estonia Watchdog Fines Company $3.5M for Sloppy Data Safeguards
Allium UPI's reckless attitude toward customers' privacy jeopardized the data of more than 750,000 people, including children and vulnerable groups, the Estonian Data Protection Authority said Monday. It fined the company 3 million euros ($3.5 million).
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Allium manages a loyalty program for Apotheka, a pharmacy company, the DPA noted in an unofficial translation. In early 2024, due to Allium's failure to implement basic cyber hygiene and data protection measures, unauthorized persons repeatedly accessed its information system and database backup, downloading a large amount of sensitive customer information.
The leaked files included the personal data of people who joined the loyalty program between 2014 and 2020, along with their purchase history, the watchdog said. The latter included information about health imaging services, drugs purchased and other sensitive pharma products such as pregnancy tests.
The DPA's investigation found that, among other faults, Allium failed to use multilevel authentication, monitor activity logs and keep database backups safe.
The extent of the breach, the sensitivity of the data leaked, the number of people affected and the company's revenue were considered when setting the fine, the DPA said. Its decision was based on the General Data Protection Regulation and the relevant guidelines of the European Data Protection Council.
The penalty decision isn't yet in effect, and Allium can challenge it within 15 days, the DPA added.