Avanti Markets, a provider of smart vending machine terminals, has suffered a security breach that may have compromised customer information including biometric data.
In a statement, the company has indicated that near the start of this month it found signs of “a sophisticated malware attack” that affected some Avanti Markets kiosks. The attack appears to have been aimed at obtaining payment card information, but it may also have exposed some customers’ biometric data “if they used the kiosk’s biometric verification functionality.”
The company says it has “retained a nationally-recognized forensic investigation firm” and informed the FBI of the incident, and has shut down payment processing at certain terminals. It’s also offering credit card monitoring services to affected customers.
The breach helps to highlight some of the risks of server-side storage of biometric credentials, with authentication advocates like the FIDO Alliance urging businesses employing biometric authentication to take an on-device approach that keeps users’ biometric data on their smartphones and other personal devices used for authentication.