Dear Valued Customers,
Avanti Markets deeply values the relationships we have with individuals who utilize kiosks supported by Avanti Markets. This notice is to make you aware of an incident which may have resulted in unauthorized access or acquisition of your personal information and/or payment card data, and to provide you information on steps you can take to protect yourself and minimize the possibility of misuse of your information. We apologize for any inconvenience this may cause you and assure you we are continuing to work diligently to resolve this incident and to ensure that it will not happen again.
On July 4, 2017, we discovered a sophisticated malware attack which affected kiosks at some Avanti Markets. Based on our investigation thus far, and although we have not yet confirmed the root cause of the intrusion, it appears the attackers utilized the malware to gain unauthorized access to customer personal information from some kiosks. Because not all of our kiosks are configured or used the same way, personal information on some kiosks may have been adversely affected, while other kiosks may not have been affected.
WAS MY INFORMATION ACCESSED?
Based on our IT forensic investigation, we have determined that the attack was not successful on all kiosks and many kiosks have not been adversely affected. It appears the malware was only active beginning on July 4, 2017. Through a combination of efforts by our incident response team, the number of at-risk kiosks quickly and steadily declined. In the first 14 days of learning of the incident (July 18th ) we were able to work with operators and hosts to ensure that the malware that caused the incident was not active on more than 98% of affected kiosks. Shortly after that, by August 4, we completed implementation of end to end encryption on all kiosks in operation throughout the United States, eliminating the risk to payment card transactions on the few remaining kiosks. We are advising anyone who utilized a kiosk between July 4, 2017 and August 4, 2017 (the time period when the malware may have been active) to take steps to protect their information, including enrolling in the credit monitoring service we are providing at no cost to you. However, as noted, during this period the number of at-risk kiosks declined, meaning that not all kiosks were at risk during the entire window. Please note, after ensuring the malware was inactive, we attempted to ascertain the potential at-risk transactions. Based on that investigation it appears some kiosks may have accepted, but did not complete, a limited number of transactions in the period prior to the date the malware attack began (July 4). These transactions were not completed as the kiosks likely were unable to communicate with the applicable banks when the transactions were attempted. When these kiosks came back online, transactional records suggest that some of the transactions which were attempted, but not processed, may have also been at-risk. Our original notice referenced July 2, 2017, to account for these attempted but not processed transactions. The recent review of the transaction data indicates a very number of transactions which occurred prior to July 2, 2017, may also be at-risk. We learned most of these transactions occurred during the 14-day period prior to July 4, with a very small number of transactions occurring as early as April 7, 2016. To inquire about the remediation date for the kiosk you used, send an inquiry with the address of the kiosk’s location to: firstname.lastname@example.org.
WHAT INFORMATION WAS COMPROMISED?
As you know, the kiosks do not collect certain data elements (such as Social Security Number, date of birth, or federal or state identification number) from customers. Accordingly, those elements of personal information were not subject to compromise.
However, for customers that used a payment card to complete a purchase on an infected kiosk, the results of our investigation show that the malware did not compromise cardholder first or last name but in some cases compromised credit/debit card number, expiration date, and CVV code. While our original notice included cardholder name as potentially being compromised, the investigation results have shown this not to be the case.
In an abundance of caution, our original notice also advised customers who used their Market Card to make payments that they may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality. We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.
WAS BIOMETRIC DATA COMPROMISED?
No. In an abundance of caution, our original notice advised customers who used their Market Card and the kiosk’s biometric verification functionality may have had their biometric data compromised. We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data and as such this biometric data would not be subject to this incident as it is encrypted.
WHAT ARE WE DOING?
We have been working nonstop to address this incident, including taking the following steps:
- Immediately upon discovering that we were a victim of a malware attack, we commenced an investigation to determine the scope of this incident and attempt to identify those affected.
- We worked with our assembled internal response team and took steps to secure our information systems, including changing passwords and other related measures.
- We retained a nationally-recognized forensic investigation firm and outside legal counsel to assist.
- We notified the Federal Bureau of Investigation (“FBI”) and other law enforcement agencies.
- On July 5, we took steps to cease payment processing on affected kiosks and instructed operators on steps to take to minimize the risk of a data compromise in the future which included disabling card readers and posting signage for customers. We redoubled our efforts to implement end to end encryption for payment card transactions on 100% of US kiosks, and completed that on August 4. We additionally worked with operators to purge impacted systems of any malware from the attack.
- We developed a set of comprehensive FAQs to assist affected persons with gathering additional information about the incident and additional steps they can take to protect their personal information and identity. We will continue to update these FAQs if and/or when we discover further information about the nature and scope of the attack.
- We have made available credit monitoring services at no cost to those individuals whose personal information has been compromised. Specifically, we have partnered with Equifax® to provide its Credit Watch™ Silver identity theft protection product for two years at no charge to you. If you choose to take advantage of this product, it will provide you with a notification of any changes to your credit information, up to $25,000 Identity Theft Insurance Coverage and access to your credit report. Because some of our customers have requested an alternative provider of ID theft/monitoring services be made available, effective October 19, we are making similar services available through TransUnion. To enroll, you must first call 800-224-8040 to obtain an authorization code and then follow the enrollment instructions that are located here for TransUnion or here for Equifax or here for Equifax. You must complete the enrollment process by July 8, 2018.
- For Canadian residents, we have made similar monitoring services available, refer to the FAQs for details/instructions.
- We treat all personal information in a confidential manner and are proactive in the careful handling of such information. We continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring. For instance, we have completed the process of implementing end to end encryption for all of our kiosks Theft of data and similar incidents are difficult to prevent in all instances, however, we will be reviewing our systems and making improvements where we can to minimize the chances of this happening again.
WHAT CAN YOU DO?
The following information is not applicable to Canadian residents.
Even if you utilized your payment card at a kiosk, it does not mean you will be affected by this incident. However, out of an abundance of caution, we recommend that you remain vigilant and consider taking one or more of the following steps to avoid identity theft, obtain additional information, and protect your personal information: Contact the nationwide credit-reporting agencies as soon as possible to:
- Contact the nationwide credit-reporting agencies as soon as possible to:
- Fraud Alert. Add a fraud alert statement to your credit file at all three national credit-reporting agencies: Equifax, Experian, and TransUnion. This statement alerts creditors of possible fraudulent activity within your report as well as requests that they contact you prior to establishing any accounts in your name. Once the fraud alert is added to your credit report, all creditors should contact you prior to establishing any account in your name. You only need to contact one of the three agencies listed below; your request will be shared with the other two agencies. To place a 90-day fraud alert on your credit file, log into the Equifax Member Center and click on the fraud alert tab, visit www.fraudalerts.equifax.com or call the auto fraud line at 1-800-224-8040, and follow the simple prompts. This fraud alert will remain on your credit file for 90 days.
- Security Freeze. Place a “security freeze” on your credit account. This means that your credit account cannot be shared with potential creditors. A security freeze can help prevent new account identity theft. If you would like to request a security freeze be placed on your account, you must write by certified or overnight mail (see addresses below) to each of the three credit reporting agencies, or through the electronic or Internet method made available by the credit reporting agencies. Credit reporting agencies charge a $5 fee to place or remove a security freeze unless you provide proof that you are a victim of identity theft, in which case there is no fee. A copy of your police report or an investigative report or written FTC complaint documenting identity theft must be included to avoid a fee. In your request, you also must include (documentation for both the spouse and the victim must be submitted when requesting for the spouse’s credit report) (i) a copy of either the police report or case number documenting the identity theft, if you are a victim of identity theft; (ii) your full name (including middle initial as well as Jr., Sr., II, III, etc.,) address, Social Security number, and date of birth; (iii) if you have moved in the past 5 years, the addresses where you have lived over the prior 5 years; (iv) proof of current address such as a current utility bill or phone bill; (v) a photocopy of a government issued identification card (state driver’s license or ID card, military identification, etc.); and, if applicable (vi) payment by check, money order or credit card (Visa, Master Card, American Express or Discover cards only.)
Equifax Experian TransUnion
P.O. Box 740256 P.O. Box 9554 P.O. Box 2000
Atlanta, GA 30374 Allen, TX 75013 Chester, PA 19022
(800) 525-6285 (888) 397-3742 (800) 888-4213
- Free Credit Report. Receive a free copy of your credit report by going to com.
- Watch Bills, Statements and Mailing Lists. If you aren’t already doing so, please pay close attention to all bills and credit-card charges you receive for items you did not contract for or purchase. Review all of your bank account statements frequently for checks, purchases or deductions not made by you. Note that even if you do not find suspicious activity initially, you should continue to check this information periodically since identity thieves sometimes hold on to stolen personal information before using it. Remove your name from mailing lists of pre-approved offers of credit for approximately six months.
- Contact the Federal Trade Commission (“FTC”) either by visiting ftc.gov, www.consumer.gov/idtheft, or by calling (877) 438-4338. If you suspect or know that you are the victim of identity theft, you can report this to the Fraud Department of the FTC, who will collect all information and make it available to law-enforcement agencies. Contact information for the FTC is:
Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue
NW Washington, DC 20580
- If you believe you are a victim of identity theft you should immediately report same to law enforcement and/or your state attorney general.
- For Maryland Residents: The contact information for the Maryland Office of the Attorney General is: Maryland Office of the Attorney General, 200 St. Paul Place, Baltimore, MD 21202; Telephone: (888) 743-0023; website: http://www.oag.state.md.us.
- For North Carolina Residents: The contact information for the North Carolina Attorney General is: Address: North Carolina Office of the Attorney General, 9001 Mail Service Center, Raleigh, NC 27699; Telephone: (919) 716-6400; website: ncdoj.com/.
- For Puerto Rico Residents: The total number of affected individuals is currently unknown.
- For Rhode Island Residents: The contact information for the Rhode Island Office of the Attorney General is: Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903; Telephone: (401) 274-4400; website: http://www.riag.ri.gov. The total number of affected individuals is currently unknown.
- For New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit https://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov. In addition, New Mexico consumers may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act. For more information about New Mexico consumers obtaining a security freeze, go to http://consumersunion.org/pdf/security/securityNM.pdf
FOR MORE INFORMATION.
If you have questions or concerns you may contact us by calling 800-224-8040 or emailing securityincidentinfo@AvantiMarkets.com. Again, we apologize for this situation and any inconvenience it may cause you.