Avanti Markets Malware Attack Included Biometric Information

Avanti Markets, a micro-market provider selling snacks at businesses and boasting more than 1.6 million customers, is the latest to get hit with a malware attack.

The company alerted customers to the breach through its website, warning that the incident may have resulted in unauthorized access or acquisition of personal information and/or payment card data. It discovered the “sophisticated malware attack” on July 4, 2017, and noted the security disruption affected kiosks at some Avanti Markets.  

Based on the company’s internal investigation so far, it seems the attackers utilized the malware to gain unauthorized access to customers’ personal information.

“At this point, it appears the malware was designed to gather certain payment card information, including the cardholder’s first and last name, credit/debit card number and expiration date,” Avanti Markets’ statement said. “In addition, users of the Market Card option may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk biometric verification functionality.”

The company said it launched an internal investigation as soon as the breach was discovered, notified the Federal Bureau of Investigation and other law enforcement agencies and shut down payment processing at some locations. It is working with operators to purge impacted systems of any malware from the attack.

“Theft of data and similar incidents are difficult to prevent in all instances,” said the Avanti Markets statement, “however, we will be reviewing our systems and making improvements where we can to minimize the chances of this happening again.”

While malware attacks are becoming a regular occurrence, Lisa Baergen, marketing director at Mastercard company NuData Security, said the breach of biometrics data could have a serious impact on its customers. Credit cards, passwords and other information can be changed, but fingerprints cannot.

“Now that this information is in the hands of fraudsters and likely for resale on the dark web, it will be too easy to breach and take over more accounts, create synthetic identities and more,” said Baergen in an email statement to PYMNTS. She also noted the breach underscores the need for organizations to rethink how they protect and verify identities in the digital world.

“We need to protect all consumer data, and using advanced techniques like passive biometrics and behavioral analytics gives organizations a step up on the bad actors looking to monopolize this data — even if they have their hands on active biometrics such as fingerprints,” said Baergen.  

Jonathan Sander, CTO of STEALTHbits Technologies, said the breach showcases the security problems facing all point-of-sale (POS) systems.

“The POS systems are often brought in from the outside, used by contract or part-time employees and even connected to networks that aren’t fully IT managed,” Sander said in an email to PYMNTS. “They live in a gray zone that makes them both hard to manage and easy to target.”