I wouldn't be terribly surprised if you could create a barcode that caused a barcode reader to send <windows key>+r and run some arbitrary command. So perhaps it wasn't a vector for an ATM, but maybe some other barcode reader where workers scan in arbitrary things they are handed...TSA maybe?
Also, perhaps folks working in data centers can and confirm/deny, but from what I know it's usually strictly forbidden to bring any USB devices into a data center area.
We use USB drives as installers and, in some cases, as boot volumes. (And of course keyboards and mice on crash carts and USB serial ports for laptops.)
We’re not a cloud provider, but I’ve been in lots of DCs and seen plenty of USB devices.
