Estonia issues arrest warrant over major pharmacy data breach

Estonian authorities have issued an international arrest warrant for a Moroccan man accused of orchestrating one of the country’s most significant data breaches.

The suspect, 25-year-old Adrar Khalid, is alleged to have unlawfully accessed a customer database belonging to Allium UPI, the parent company of the popular Apotheka pharmacy chain, in February 2024. According to the Estonian Police and Border Guard Board, Khalid used administrator credentials to log into the system, though investigators are still working to determine how he obtained them.

Reemo Salupõld, who leads the Cybercrime Bureau’s investigation, said there is strong evidence suggesting Khalid deliberately misused privileged access to extract sensitive data.

The breach exposed the personal details of hundreds of thousands of customers, including personal ID codes, email addresses, home addresses and phone numbers. Nearly 700,000 identities were compromised, alongside purchasing records for non-prescription medicines dating back to 2014. Authorities stressed that prescription data was not included, and no misuse of the stolen data has yet been confirmed.

Estonia’s Prosecutor General has requested Khalid’s extradition should he be apprehended abroad. He is now listed on an international wanted persons register.

Allium UPI disclosed the incident in February, stating that its customer loyalty platform had been compromised. The company, which supplies products to pharmacies and hospitals across Estonia, Latvia and Lithuania, also manages customer programmes for Apotheka, Apotheka Beauty, and PetCity.

The breach has triggered widespread concern in the Baltics about data protection in the healthcare sector. Investigations are ongoing.