US firm Avanti Markets says that nearly 2000 of its self-service payment kiosks have been infected with malware, putting customers' card data at risk.
Avanti operates 'micro markets' in company break rooms throughout America, enabling employees to pay for food at self-service kiosks with cash, cards and even fingerprint scans.
The firm says that on 4 July it discovered a "sophisticated malware attack" which affected about 1900 kiosks.
The malware appears to have targeted card information, including names, card numbers and expiration dates. However, biometric data was not compromised.
While a forensic investigation is underway, Avanti says that it appears that the incident is down to the workstation of a third party vendor’s employee getting infected with malware.