14 DAY TRIAL // Self-serve kiosks installed at three Compass Group locations in the US have been compromised, putting at risk payment card information of customers.
Compass Group is a food service management company that serves about 8 million meals on a daily basis, through vending machines installed in places such as restaurants, corporate cafes, schools, arenas or museums. It has over 220,000 associates in all American states and in Canada.
Card security codes exposed
According to an announcement disclosing the compromise, the malware infecting the payment terminal captured card information that included names, card numbers, expiration dates and the CVV (card verification value).
An attacker in possession of this data can make fraudulent online purchases in the name of the victim. As per the PCI DSS (Payment Card Industry Data Security Standard), merchants should not store the CVV code on their systems.
The impacted customers are those that made purchases at one of three on-site dining locations in California (450 American Street, Simi Valley; 1800 Tapo Canyon Road, Simi Valley; and 375 Trimble Road, San Jose) between February 2 and March 9, 2015.
Compass Group says that it has no indication that any point-of-sale terminals at other locations have been compromised by cybercriminals.
One year of free identity protection available
The risk mitigation procedure for the affected payment systems included disabling them and removing the malware from them. The company says that the incident has been contained.
Although there is no information that the data exposed has been exfiltrated by the attackers, the Compass Group recommends the affected customers to review and keep a close eye on the credit report and the bank account statements.
Should suspicious activity be observed, customers are advised to contact the financial institution that issued the card and credit monitoring companies.
Compass Group offers all impacted customers a free subscription for free identity protection for one year. The subscription also covers credit monitoring.