One of the big new features Samsung has been touting this year is Samsung Pay, or Samsung’s own Apple Pay rival that it touted as “ready to go” at more shops than Apple Pay could ever reach, as it didn’t require special hardware from retailers.
At the same time, though, Chinese hackers were breaching the computer network of LoopPay, a startup Samsung bought in February for more than $250 million, which is responsible for part of the technology that makes Samsung Pay work.
LoopPay only learned about the breach in August, at a time when Samsung was preparing to launch the service in the U.S.
The hackers, identified as the Codoso Group or Sunshock Group by those who track them, looked to steal the company’s technology that’s employed in Samsung Pay. Known as magnetic secure transmission or MST, the technology works with older payment systems that lack NFC support, emulating the magnetic stripe card.
The attackers have apparently broken into LoopPay’s corporate network, but they have not breached the production system that helps manage payments, LoopPay CEO Will Graylin told The New York Times.
There are no indications that hackers infiltrated Samsung’s systems or that they have accesses consumer data.
“Samsung Pay was not impacted and at no point was any personal payment information at risk,” Samsung’s chief privacy officer Darlene Cedres said in a statement. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.”
Unidentified people familiar with the matter and experts tracking the Codoso hackers say it’s premature to say what the hackers were able to do since they were discovered only in August, five months after the breach.
The same group of hackers, whose modus operandi includes staying hidden in a breached network and planting back doors, attacked Forbes in February with malicious code that was then able to infect visitors of the site.
It’s not clear at this time whether the hackers looked to breach Samsung Pay or simply to steal the data necessary to replicate the LoopPay payment system. Graylin downplayed concerns that hackers might want to steal user data or create a copycat product.
The company is working with two forensic teams on the breach but has not contacted law enforcement.
Samsung Pay was launched in the U.S. 38 days after the hack had been discovered. On average, it takes 46 days for a hacker attack to be fully resolved, according to the Ponemon Institute, which tracks such events.