Samsung Pay launched less than two weeks ago, but a new report from The New York Times shows that LoopPay — the small mobile commerce platform that was acquired by Samsung in February 2015 — was hacked even before the Samsung Pay launch.
The report indicates that LoopPay, which uses its Magnetic Secure Transmission (MST) patented technology to turn existing mag stripe readers into mobile contactless receivers, was involved in a targeted attack from hackers in China suspected to be linked to a government-affiliated attack.
The latest details show that the attack could date back as early as March and was brought upon by hackers commonly known by hacking trackers as the Codoso Group or Sunshock Group. The reports indicate LoopPay’s computer network was breached, which was thought to have been an attempt to go after LoopPay’s technology secrets, specifically MST — the key component behind making Samsung Pay work for more merchants.
Samsung has released a statement following the breach.
“Samsung Pay was not impacted and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network from Samsung Pay. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay. Samsung is extremely committed to securing and protecting user data to the highest industry standards,” Darlene Cedres, Samsung’s chief privacy officer, said in a statement.
The suspicion is that the hackers breached LoopPay’s corporate network but likely not the systems that manage payments, Will Graylin, LoopPay’s chief executive and co-general manager of Samsung Pay, told NYT. He noted that the company has security experts investigating the incident but relayed that there was no evidence the hackers were able to breach Samsung’s consumer data.
The breach, which was only recently identified in August, came to light when a hacking tracker organization found LoopPay’s data. LoopPay and Samsung expressed confidence that the infected machines have been removed and that consumer payment data and devices were safe.