Avanti Markets

Avanti Markets, headquartered in the United States, operates as a vendor of self-service food kiosks, providing automated retail solutions for food and beverage purchases. Its core services encompass integrated payment processing systems that accept traditional credit and debit cards, alongside proprietary stored-value Market Cards which link to customer names and email addresses. The company also implemented biometric verification options, specifically fingerprint authentication, at its kiosks to facilitate transactions. These systems manage the complete payment flow, from authorization to settlement, within its network of unattended retail points. The 2017 security incident directly confirms the scope of its data handling, revealing that its infrastructure processes and stores sensitive financial and personal customer information. The breach of these kiosks demonstrates that Avanti Markets' business model is fundamentally tied to the secure management of payment card data and identity verification technologies in a physical retail environment.

The 2017 compromise of Avanti Markets' systems provides significant insight into its operational and security posture. Attackers deployed the PoSeidon (FindPOS) malware through the corporate network to infect point-of-sale terminals at the kiosks, a method that underscores the interconnected nature of its managed IoT devices. The malware successfully exfiltrated extensive customer data, including cardholder names, primary account numbers, expiration dates, and, for users of the fingerprint system, biometric templates. A critical finding was that approximately half of the affected kiosks lacked point-to-point encryption, a basic security control for payment systems, which significantly amplified the breach's impact. The incident also highlighted insufficient network segmentation between corporate IT and payment processing environments, a architectural weakness that allowed lateral movement. This event positions Avanti Markets as a case study in the risks associated with third-party management of payment-enabled IoT devices, where vulnerabilities in the vendor's security controls directly expose consumer financial data across its installed base. The necessity to temporarily shut down credit card processing at multiple locations following the discovery illustrates the direct operational consequences of such a security failure on its core service delivery.