U.S. payment kiosk vendor, Avanti Markets, recently fell victim to a malware scam. The U.S. kiosk vendor’s innovation is to take away counter services and replace them with an all-serving vending machine that covers whole sandwiches, fruit, drinks and junk food with one payment system.
Breach discovered
On 4th July 2017, Avanti discovered the malware scam that affected some of its kiosks. They made some investigations and concluded that the cyber-attackers used malware to gain unauthorised access to customers’ personal information from the kiosks. They explained that, because the kiosks aren’t configured in the same way, some of the kiosks weren’t affected.
Avanti confirmed they found the malware on their systems from 2nd July 2017 until 4th July 2017. Though they can’t put a number on how many people were affected, they stated that if you didn’t use a kiosk between that time, you’re unlikely to have been affected by the breach.
Investigations
Though Avanti have made initial investigations they still haven’t explained just how many of their customers had their information accessed. They noted that they’re still conducting an extensive IT forensic investigation to see the extent of the attack. This should also ascertain what kiosks were attacked.
What information was accessed?
Customers that used a payment card to make a purchase on an infected kiosk may have had their information accessed. The accessed information may include cardholder first and last names, credit/debit card numbers, and expiration dates. Avanti assured customers that the kiosks don’t collect certain data like social security numbers, dates of birth or federal/state identification number.
Notification
On 25th July 2017, Avanti Markets released a statement on their website to notify their customers of a ‘data incident’. It starts by saying:
“…this notice is to make you aware of an incident which may have resulted in unauthorised access or acquisition of your personal information and/or payment card data.”
They also made assurances that they’re working diligently to resolve the matter and “ensure that it will not happen again”.
That is quite a big pledge to make seeing as they failed to keep their customers’ data safe in the first place. Saying it will not happen again may give customers a false sense of security as data breaches can happen no matter how tight a company’s cyber-security is.
Biometric data wasn’t accessed
As some of the kiosks use biometric verification, some customers’ names, email addresses and biometric data could possibly be compromised. Avanti explain that all their kiosk fingerprints have end-to-end encryption, so the biometric data shouldn’t have been included in the breach.
But how can anyone really be sure?
Post-breach
In a bid to secure their customers’ data, Avanti Markets have taken the following steps:
- Upon discovering the malware, they commenced an investigation to identify those affected
- They worked with the internal team to change all passwords and measures
- Hired a nationally-recognised forensic investigation team to assist
- Shut down payment processing at some locations and working with operators to take steps to minimise the risk of data breaches moving forward
Though Ananti have taken a few steps to minimise the effect of the breach, it’s a little too late for them to try to reassure their customers when the damage may have already been done.