Can ignoring fundamental security measures like multi-factor authentication (MFA) lead to a multi-million euro fine? The Estonian Data Protection Inspectorate (AKI) has answered this question with a resounding “Yes,” imposing a €3 million fine on the pharmaceutical wholesaler Allium UPI. The case is a stark warning for any company that processes customer data, demonstrating that practicing good “cyber hygiene” is non-negotiable.
The Case: Data Breach in a Pharmacy Loyalty Program Involving Highly Sensitive Health Data
Allium UPI was responsible for managing the loyalty program for the “Apotheka” pharmacy chain. In early 2024, the company fell victim to a cyberattack. Unauthorized parties were able to repeatedly access the systems and steal backups of the loyalty program’s databases.
The stolen data included not only the personal details (name, address, email, phone number) of hundreds of thousands of customers who had joined the program between 2014 and 2020, but also their detailed purchase histories. This included highly sensitive information about purchased medications, pregnancy and ovulation tests, intimate hygiene products, and treatments for skin conditions—data that allows for direct conclusions to be drawn about the health and private lives of the individuals affected.
The Authority’s Decision: Elementary Security Measures Were Ignored
The Estonian Data Protection Inspectorate found that Allium UPI had grossly violated its duty to secure data in accordance with Art. 32 GDPR. The list of failures reads like a textbook example of basic security mistakes:
- Lack of Multi-Factor Authentication (MFA): One of the most critical protective mechanisms for accounts was not implemented.
- Shared Administrator Accounts: Multiple individuals used the same administrator account with an identical username and password, making it impossible to trace activities.
- Insecure Backups: Data backups were not stored with adequate protection.
- Insufficient Logging: System activity monitoring was inadequate, meaning the unauthorized access went unnoticed for too long.
The authority emphasized that a company whose business model is based on processing customer data must view the protection of that data as an integral part of its business. Because Allium UPI neglected this duty, the substantial fine was imposed as a “last resort” to enforce accountability and prevent future violations.
What Does This Ruling Mean for Your Company?
- Article 32 GDPR Is Not a Formality: The obligation to implement “appropriate technical and organizational measures” (TOMs) is a core requirement of the GDPR. This ruling shows that authorities interpret this strictly and consider basic standards like MFA to be mandatory.
- “Cyber Hygiene” Is the Foundation: Strong, unique passwords, MFA, separate user accounts, and secure backup strategies are not optional extras; they are the absolute minimum, especially when processing sensitive data.
- Sensitive Data = Greater Responsibility and Higher Fines: The sensitivity of the leaked health data was a decisive factor in the size of the fine. The more sensitive the data you process, the higher the security requirements.
- Responsibility Cannot Be Outsourced: Even if you commission a service provider to process data, you, as the client, remain responsible for verifying their security standards (as per the data processing agreement under Art. 28 GDPR).
FAQ: Data Security & GDPR – What You Need to Know
What exactly does Article 32 GDPR require from companies?
It requires ensuring a level of security appropriate to the risk through measures such as pseudonymization, encryption, ensuring the ongoing confidentiality and availability of systems, and a process for regularly testing and evaluating the effectiveness of these measures.
Is Multi-Factor Authentication (MFA) mandatory for every company?
No, Multi-Factor Authentication (MFA) is not yet universally mandatory for every company, but it is becoming so for certain organizations and specific types of access. Important regulatory changes like the NIS-2 Directive are making MFA compulsory for many businesses. Today, MFA is considered “state of the art” for securing critical access points and is used by supervisory authorities as a key criterion when evaluating security measures.
Who is responsible for the data in a loyalty program?
Typically, this involves either a joint controllership (Art. 26 GDPR) or a data processing agreement (Art. 28 GDPR). In any case, it must be clearly defined in a contract who is responsible for which security measures.
What are the first steps to take after discovering a data breach?
Take immediate action to contain the attack, secure evidence, assess the risk to the individuals affected, and—if the risk is significant—report the breach to the competent data protection authority within 72 hours.
How can I have the data security in my company reviewed?
We are happy to help you with this. Contact us at: sofortdatenschutz.de/kontakt
Conclusion: Basic Data Security Is Non-Negotiable
The Allium UPI case is a powerful lesson: massive GDPR fines are not just levied for complex legal violations, but also for the simple failure to implement basic and widely-known security standards. For companies of all sizes, this means that investing in essential cyber hygiene is not a cost, but an indispensable insurance policy against financial and reputational disasters.
