Avanti Markets, which specializes in self-serve food kiosks typically located in company breakrooms, said an undisclosed number of its 1.5 million customers may have had their personal and bankcard data compromised along with stored biometric data.
The company, based in Tukwila, WA, said on July 4 it discovered a “sophisticated” malware attack against a number of its kiosks, used for self-checkout at one of its 5,000 so-called micro-markets.
“Based on our investigation thus far, and although we have not yet confirmed the root cause of the intrusion, it appears the attackers utilized the malware to gain unauthorized access to customer personal information from some kiosks,” said John Reilly, president of Avanti, in a statement posted to its website on Monday.
The company said because of different kiosk configurations, data stolen may vary from location to location. “Personal information on some kiosks may have been adversely affected, while other kiosks may not have been affected,” Reilly wrote.
The company did not return Threatpost requests for comment for this story. But, according to Reilly’s online statement customers who used Avanti’s “Market Card option may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality.”
It’s unclear what biometric data may have been associated with accounts. However, according to a description of the company’s kiosk technology, customers have a “Pay with Fingerprint Scanner” option.
“You can now pay for your favorite food or beverage items within your break room with just the quick tap of your finger on the Kiosk,” the site states.
Security experts have warned that fingerprint records coupled with personal data could present a security risk hard to mitigate. That’s because, unlike passwords, fingerprints can’t be reset. So called “fake fingers” are not easy to produce, but Chaos Computer Club proved several years ago it is possible to use fingerprint data to bypass user authentication measures by creating latex molds of fingers.
According to the company’s website, its kiosk are in 46 U.S. states and used by 1.6 million customers. The company said it has notified the Federal Bureau of Investigation of the breach and shut down payment processing at an undisclosed number of locations. The company is also making credit-monitoring services available to customers at no cost.