Chinese Hackers Attack Samsung’s LoopPay, Company Says Payments System Not Breached

A group of Chinese hackers (rumored to be government-affiliated), alternatively known as the Codoso Group or Sunshock Group has struck again. The sophisticated hacking group were the masterminds behind another cyber espionage campaign, employing a watering hole style attack using and other websites. iSIGHT PArtners, a global cyber threat intelligence firm, announced the discovery of the cyber attack on February 10, 2015.

According to the New York Times (NYT), this time around, LoopPay, a small Massachusetts subsidiary of the South Korean electronics giant was the target of the government-affiliated Chinese hackers. The mobile payment system was acquired by Samsung in February, for more than $250 million. LoopPay executives said the Codoso hackers appeared to have been after the company’s technology, known as magnetic secure transmission (MST). The technology has an advantage because it also works with older payment systems by emulating a commonly used magnetic stripe card.

NYT reports, the attackers are believed to have broken into LoopPay’s corporate network, but not the production system that helps manage payments, said Will Graylin, LoopPay’s chief executive and co-general manager of Samsung Pay. Mr. Graylin said that security experts were still looking through LoopPay’s systems, but that there had been no indication that the hackers infiltrated Samsung’s systems or that consumer data had been exposed.

Both LoopPay and Samsung executives said they were confident that they had removed infected machines, and that customer payment information and personal devices were not affected. They added that there was no need to delay the introduction of Samsung Pay, which had its debut in the United States last week after executing more than $30 million worth of purchases in South Korea.

Samsung Pay was not impacted and at no point was any personal payment information at risk, Darlene Cedres, Samsung’s chief privacy officer, said in a statement. This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.

Samsung introduced Samsung Pay in the United States just 38 days after LoopPay learned it had been breached. On average, it takes 46 days before an attack by hackers can be fully resolved, according to the Ponemon Institute, a nonprofit that tracks breaches. But the time to fix the damage is typically much longer in cases of sophisticated Chinese hackings like the one at LoopPay.

LoopPay has not notified law enforcement about the breach, Mr. Graylin said, because his firm believed no customer data or financial information had been stolen.

He also played down concerns that hackers might try to use the information they stole about his company’s technology in order to infiltrate Samsung Pay or create a copycat product. He said if such a thing emerged, LoopPay could file a patent lawsuit. What’s more, he said, it would be viable only if major banks, credit card companies and carriers were willing to team up with the copycat.

With unfavorable timing, today Wednesday, October 7, 2016, Samsung Electronics released their third quarter earnings, which showed promising results for the future. Samsung's operating profit had increased nearly 80 percent.