Avanti Markets, which owns snack and drink vendor machines across the USA, has suffered a data security breach. The company has admitted that hackers might have compromised not only customers’ credit card accounts, but also the physical biometrics associated with those accounts.
A security researcher has characterised this hack as a classic case of an Internet of Things (IoT) threat where a network-controlled device maintained by a third party was not properly patched, audited or controlled.
Michael Patterson, CEO of Plixer said, “Vending machines have been vulnerable to hacking and thefts since the day they were brought to market. However, with IoT technology, the stakes are much higher now. The villains behind these infections aren’t interested in stealing the refreshments inside the machine rather, they have their eyes on a much bigger prize: Personally Identifiable Information (PII) including one-of-a-kind fingerprints that can be resold on the dark web.
“This is an example of why organisations must begin to follow a least privilege model when deploying IoT devices. IP addresses should be defined, along with layer 4 protocols and application traffic profiles that IoT devices use to perform their defined task.”
Patterson continued, “With this knowledge, Network Traffic Analytics technologies can be leveraged to monitor traffic to and from IoT devices and alert if they send or receive any traffic that falls outside the least privilege policy.
Even a single packet of traffic that falls outside the least privilege model should be reported, investigated, and remediated immediately.”