Cyber Incident Victim: Avanti Markets
Date:
Jul 2017
Location:
United States of America
Summary
A self-service food kiosk vendor experienced a sophisticated malware attack affecting its payment systems, compromising customer payment card information including cardholder names, card numbers, and expiration dates. The breach also potentially exposed biometric data from users who employed fingerprint verification, alongside names and email addresses of those utilizing stored-value Market Cards. The malware, identified as PoSeidon (FindPOS), was distributed through the vendor's corporate network to kiosks, prompting the temporary shutdown of credit card processing at some locations. Analysis revealed that approximately half of the kiosks lacked point-to-point encryption, increasing vulnerability. The incident highlighted risks associated with third-party-managed IoT devices and insufficient network segmentation in payment environments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On July 4, 2017, Avanti Markets discovered a malware attack affecting self-service payment kiosks deployed in corporate breakrooms across the United States. The company, based in Tukwila, Washington, acknowledged that hackers compromised its internal networks to distribute malicious software to these devices, potentially exposing customer payment card data and biometric information. Avanti’s investigation indicated the attackers targeted personal information stored on the kiosks, though not all systems were affected due to configuration differences. The malware specifically harvested credit and debit card details, including cardholder names, account numbers, and expiration dates. Customers using biometric verification through fingerprint scans faced additional risks, as the breach potentially compromised this sensitive data alongside names and email addresses associated with the Market Card payment option. Avanti temporarily disabled credit card processing at some locations following the discovery and initiated efforts to remove malware from infected systems. Third-party reports corroborated the incident, with at least one law firm confirming its on-site kiosk had credit card functionality suspended due to the breach.
Security firm RiskAnalytics later identified the malware as PoSeidon (also known as FindPOS), a point-of-sale malware family designed to exfiltrate payment card data. Their analysis revealed the attack originated from Avanti’s corporate network compromise, enabling malware distribution to locally managed kiosks. RiskAnalytics detected suspicious network traffic from an affected kiosk on July 4, noting the use of an SSL encryption certificate historically linked to cybercrime operations, including ransomware. The breach impacted approximately 1.6 million users across thousands of kiosks, with vulnerabilities exacerbated by inconsistent implementation of point-to-point encryption (P2Pe) technology on approximately half the devices. Avanti’s response included collaborating with operators to purge malware and implement measures to reduce future compromise risks. The incident underscored security challenges in third-party-managed IoT devices, as organizations lacked direct control over kiosk maintenance or network segmentation. Consequences included prolonged payment processing disruptions, potential financial fraud from stolen card data, and exposure of biometric identifiers, marking one of the first breaches involving compromised fingerprint verification systems in consumer-facing kiosks.