United States-based payment kiosk vendor Avanti Markets has experienced a database breach that compromised a considerable amount of personal information from users including biometric data.

Avanti Markets—which provides self-service snack machines for organizations and reportedly serves more than 1.6 million customers—was hit by a malware attack that resulted in significant pieces of customer data being stolen.

Read: Restaurants Targeted By Malware: New Attack Goes Undetected By Antivirus Tools

Customer data stolen in the database breach includes full names, email addresses, credit card information, and fingerprints that were stored to allow customers to make quicker, single-touch payments.

The attack was first discovered by Avanti Markets on July 4. There is no indication just how long the malware was present on machines or how many users were affected by the data breach. The company has yet to identify the root cause of the attack.

The malicious software that apparently hit Avanti Markets kiosks appears to have been a strand of malware known as PoSeidon or FindPOS, an attack designed specifically to target point-of-sales systems and steal payment information from customers.

An analysis of the attack published by security firm Risk Analytics theorized a larger vendor of Avanti Markets machines may have been compromised first and then distributed the vending machines to local operators where the breaches occurred. Risk Analytics reported machines in at least two cities had been hit by the attack but did not provide any additional details.

Read: Chipotle Hacked: Credit Card Breach, Malware Hit 'Most' Locations, Restaurant Reports

Security reporter Brian Krebs reported that some Avanti Markets machines do not use P2Pe—or point-to-point encryption—to encrypt the data that is used during a transaction. Theoretically, a machine with such an encryption protocol would protect the data of a customer even if the machine was compromised. The encryption would make the information essentially unreadable unless the attacker was able to crack the protection.

Structure Security
Newsweek is hosting a Structure Security event Sept. 26-27 in San Francisco. Newsweek Media Group

In response to the attack, Avanti Markets has shut down payment processing at affected locations—though patrons can still pay with cash on some machines. The company also said it informed law enforcement, including the FBI, or the attack.

The vending machine maker said it would also provide affected customers with free credit monitoring services. In response to the breach, Avanti Markets also promised to implement end-to-end encryption on all its machines to minimize the threat to customer data in the future.

Point-of-sales malware attacks are becoming increasingly common, likely because it provides attackers with access to a wealth of information including payment details like credit card numbers.

Earlier this year, Chipotle disclosed that “most” of its locations were hit by malware earlier this year that was capable of stealing cardholder names along with card numbers, expiration dates and verification codes. Similarly, a number of Shoney’s restaurant locations were hit by an attack that resulted in customer credit card information being compromised.

Newsweek’s Structure Security conference on Sept. 26-27 in San Francisco will highlight the best practices that security professionals are using to protect some of the world's largest companies and institutions, join us for two days of talks, workshops and networking sessions with key industry players - register now.

RELATED STORIES
Security Marketing Security Security