Avanti Markets Data Incident Notification

TUKWILA, Wash., Aug. 31, 2017 /PRNewswire/ --

To our Avanti Markets Community:

As most of you are aware by now, Avanti Markets suffered a data breach through a third party software provider over the July 4^th holiday that impacted some Avanti Market kiosks.  We are providing this supplemental notice to update you on the incident and what we have learned since our original media notice on July 18, 2017. 

Our team acted swiftly to contain the intrusion, however, the malware may have resulted in the capture of some kiosk users' credit and debit card information.  The malware that infiltrated our system was a new strain believed to have originated in Russia and designed to capture credit card information from the hard drives of the kiosks. It was intended to capture credit card numbers, expiration dates, and CVV codes. No biometric data was ever at risk in this incident.  The malware was only effective on kiosks with mag-stripe card readers. It did not capture credit card information from kiosks equipped with end-to-end encryption devices as card information was protected.  We have listed the malware on an international register used by cyber security experts and others. Contrary to some early reports, the malware used in this attack had not been previously identified.

We apologize for any stress and anxiety this incident is causing some of our operators' and their customers. The security of your personal information is our top priority.  Please know that we are doing everything in our power to address this problem and to make sure that it will not happen again. At the time of this incident, Avanti Markets had delivered updated payment devices that included encryption technology, operators were in the process of deploying to all kiosks. As of August 4, 2017, within 30 days of learning of the incident, that solution was installed on 100% of kiosks in the United States. 

In the meantime, we are committed to providing our operators and consumers with a secure system. Our company has hired an outside law firm and industry leader in cyber technology to continue to assist in our resolution of this incident. We are determined to learn from this experience and continue to be a leader in the micro market industry.

We have provided the facts as we now know them and the steps we have taken to address this problem. We have also posted detailed information on our website (http://www.avantimarkets.com/notice-of-data-breach/) and contacts for people who have questions and concerns.

I am painfully aware that this incident has caused problems for operators and their customers, and I sincerely apologize.  We are doing all we can to rectify the situation and to minimize the chances of this ever happening again.   Cybercrime remains a serious threat, one that no one industry can combat alone.  Avanti Markets is committed to working with other businesses and government to enhance security for us all.  We will continue to update the website as more information becomes available.  Thank you for your understanding and continued support.

– Jim Brinton, Chief Executive Officer and Founder, Avanti Markets

Notice of Data Breach

What Happened?
On July 4, 2017, we were alerted to an intrusion of sophisticated malware attack which affected kiosks at some Avanti Markets.  At this stage, we have determined the attack was not successful on all kiosks and many kiosks have not been adversely affected.

What Information Was Involved?
At this point, it appears the malware was intended to gather certain payment card information including credit/debit card number, expiration date, and CVV code. While our original notice included cardholder name as potentially being compromised, the investigation results have shown this not to be the case.  Many kiosks encrypt credit card information and payment card data on those kiosks would not be subject to this incident. 

What We Are Doing?
We have been working nonstop to address this incident, including: commencing an investigation to determine the scope of this incident and attempt to identify those affected; working to secure our information systems, including changing passwords and other related measures; retaining  a nationally-recognized forensic investigation firm and outside legal counsel to assist; notifying the FBI; shutting down payment processing at some locations and are working with our operators to purge impacted systems of any malware from the attack to minimize the risk of a data compromise in the future; developed FAQs to assist affected persons; setting up a call center to answer questions about the incident; and  continuing to assess and modify our privacy and data security policies and procedures.

Through these efforts, the number of at risk kiosks quickly and steadily declined.  Within 14 days of learning of the incident (July 18) we were able to work with operators and hosts to ensure that the malware that caused the incident was not active on more than 98% of affected kiosks. Shortly after that, by August 4, we completed implementation of the end-to-end encryption solution, eliminating the risk to payment card transactions on the few remaining kiosks. For a very small number of kiosks, representing less than 2% of affected kiosks, information could have been compromised if the kiosk was used between July 19 and August 4.   However, on July 5, we provided instructions and took steps to (i) disable card readers and (ii) have notice posted on kiosks alerting customers not to use their payment cards. We are advising anyone who utilized a kiosk between July 4, 2017 and August 4, 2017 (the time period when the malware may have been active) to take steps to protect their information, including enrolling in the credit monitoring service we are providing at no cost to you. As noted, during this period the number of at-risk kiosks declined, meaning that not all kiosks were at risk during the entire window. Please note, after ensuring the malware was inactive, we attempted to ascertain the potential at-risk transactions.  Based on that investigation it appears some kiosks may have accepted, but did not complete, a limited number of transactions in the period prior to the date the malware attack began (July 4).  These transactions were not completed as the kiosks likely were unable to communicate with the applicable banks when the transactions were attempted.  When these kiosks came back online, transactional records suggest that some of the transactions which were attempted, but not processed, may have also been at-risk.  Our original notice referenced July 2, 2017, to account for these attempted but not processed transactions.  The recent review of the transaction data indicates a small number of transactions which occurred prior to July 2, 2017, may also be at-risk.  We learned most of these transactions occurred during the 14-day period prior to July 4, with a very small number of transactions occurring as early as April 7, 2016.

We have made available credit monitoring services at no cost to those individuals whose personal information has been compromised. Specifically, we have partnered with Equifax® to provide its Credit WatchTM Silver identity theft protection product for two years at no charge to you. If you choose to take advantage of this product, it will provide you with a notification of any changes to your credit information, up to $25,000 Identity Theft Insurance Coverage and access to your credit report. To enroll, you must first call 800-224-8040 to obtain an authorization code and then go to www.myservices.equifax.com/silver, enter your activation code, click submit, and follow the enrollment instructions. You must complete the enrollment process by July 8, 2018. We encourage you to enroll in that service.

What You Can Do.
Even if you utilized your payment card at a kiosk, it does not mean you will be affected by this incident. However, out of an abundance of caution, we recommend that you remain vigilant and consider taking one or more of the following steps to avoid identity theft, obtain additional information, and protect your personal information:

1. Contact the nationwide credit-reporting agencies as soon as possible to:

• Fraud Alert. Add a fraud alert statement to your credit file at all three national credit-reporting agencies:  Equifax, Experian, and TransUnion.  You only need to contact one of the three agencies listed below; your request will be shared with the other two agencies.  To place a 90 day fraud alert on your credit file, log into the Equifax Member Center and click on the fraud alert tab, visit www.fraudalerts.equifax.com or call the auto fraud line at 1-877-478-7625, and follow the simple prompts.  This fraud alert will remain on your credit file for 90 days.
  
  
• Security Freeze. Place a "security freeze" on your credit account. If you would like to request a security freeze be placed on your account, you must write by certified or overnight mail (see addresses below) to each of the three credit reporting agencies, or through the electronic or Internet method made available by the credit reporting agencies. Credit reporting agencies charge a $5 fee to place or remove a security freeze, unless you provide proof that you are a victim of identity theft, in which case there is no fee. In your request, you also must include (i) a copy of either the police report or case number documenting the identity theft, if you are a victim of identity theft; (ii) your full name (including middle initial as well as Jr., Sr., II, III, etc.,) address, Social Security number, and date of birth; (iii) if you have moved in the past 5 years, the addresses where you have lived over the prior 5 years; (iv) proof of current address such as a current utility bill or phone bill; (v) a photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.); and, if applicable (vi) payment by check, money order or credit card (Visa, Master Card, American Express or Discover cards only.)

• Free Credit Report. Receive a free copy of your credit report by going to www.annualcreditreport.com.
  
  
• Watch Bills, Statements and Mailing Lists. If you aren't already doing so, please pay close attention to all bills; credit-card charges, and bank account statements.  Remove your name from mailing lists of pre-approved offers of credit for approximately six months.

2. Contact the Federal Trade Commission ("FTC") either by visiting www.ftc.gov, www.consumer.gov/idtheft, by calling (877) 438-4338, or by mail at Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW Washington, DC 20580.

3. If you believe you are a victim of identity theft you should immediately report same to law enforcement and/or your state attorney general.

4. For Maryland Residents: Maryland Office of the Attorney General is: Maryland Office of the Attorney General, 200 St. Paul Place, Baltimore, MD 21202; Telephone: (888) 743-0023; website: http://www.oag.state.md.us.

5. For North Carolina Residents: North Carolina Attorney General is: Address: North Carolina Office of the Attorney General, 9001 Mail Service Center, Raleigh, NC 27699; Telephone: (919) 716-6400; website: www.ncdoj.com/

6. For Puerto Rico Residents: The total number of affected individuals is unknown.

7. For Rhode Island Residents: Rhode Island Office of the Attorney General is: Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903; Telephone: (401) 274-4400; website: http://www.riag.ri.gov.  The total number of affected individuals is unknown.

8. For New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA). These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete, or unverifiable information. For more information about the FCRA, please visit https://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov.  In addition, New Mexico consumers may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act. For more information about New Mexico consumers obtaining a security freeze, go to http://consumersunion.org/pdf/security/securityNM.pdf.

For More Information.
If you have questions or concerns you may contact us at 800-224-8040.

SOURCE Avanti Markets