An apparent POS malware attack on ending company Avanti Markets' kiosks allowed adversaries to steal customer info, including names, card numbers and expiration dates, and possibly biometrics data.
An apparent POS malware attack on ending company Avanti Markets' kiosks allowed adversaries to steal customer info, including names, card numbers and expiration dates, and possibly biometrics data.

Avanti Markets, a leading "micro market" vending company, has suffered a malware attack that allowed adversaries to steal payment and possibly fingerprint data from customers who used its self-service payment kiosks to purchase goods in various corporate workspaces.

According to an online statement from Avanti, the company on July 4 discovered a "sophisticated malware attack" that affected kiosks at some, but not all, micro market locations. Stolen data may include the full names, card numbers and expiration dates of credit and debit card users, the names and possibly email addresses of Market Card pre-paid card users, and potentially the biometric information of customers who used the kiosks' fingerprint-based verification technology to authorize a purchase.

Security expert Brian Krebs reported in a blog post over the weekend that hackers specifically breached the internal networks of Tukwila, Wash.-based Avanti and subsequently pushed out the malicious software to the kiosks. Krebs also referenced a July 7 blog post from RiskAnalytics, whose analysts found that a client's break room vending kiosks from Avanti were infected by what appears to be the POS malware PoSeidon (aka FindPOS). RiskAnalytics made this assessment based on malicious traffic patterns and specifically the discovery of a SSL certificate linked to this malware family.

According to the Avanti website, the company operates micro markets in 46 states, serving 200 million products annually to 1.6 million customers. Avanti said that in response to the incident, it has taken steps to secure its internal systems, shut down payment processing at some locations, begun removing malware from infected systems, hired a forensic investigation firm and contacted the FBI and other authorities. The company said it will attempt to identify victims and offer credit monitoring and other helpful services to affected individuals.