LoopPay — the Massachusetts-based company that Samsung acquired in February and the developer behind one of Samsung Pay’s core technologies — stores a lot of valuable data behind its virtual walls. Data so valuable, in fact, that the company’s servers were recently the target of state-sponsored hackers. The New York Times reports that as early as March, a team of government-affiliated Chinese hackers known as the Codoso Group managed to infiltrate LoopPay’s corporate network.
The apparent target of the breach was LoopPay’s technology. Unlike Apple Pay and Android Pay, LoopPay uses magnetic secure transmission (MST), a radio-based mechanism that wirelessly emulates a credit card swipe. While most tap-and-pay mobile wallets require a point-of-sale system with near-field communication (NFC) capabilities, Samsung says MST works with with “90 percent” of legacy terminals in use by U.S. retailers.
“Samsung Pay was not impacted and at no point was any personal payment information at risk.”
LoopPay, which became aware of the breach in late August, told the New York Times an ongoing investigation had found no evidence that the hackers accessed sensitive customer data. Will Graylin, LoopPay chief and co-general manager of Samsung Pay, told the Times that the group wasn’t able to breach the system that stores payment information. Samsung executives echoed those assurances.
“Samsung Pay was not impacted and at no point was any personal payment information at risk,” said Samsung’s chief privacy officer Darlene Cedres in a statement. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.” Samsung also said the breach won’t impact the U.S. rollout of Samsung Pay, which began a little over a month ago.
Some security analysts believe the extent of the damage may take weeks to uncover. The Codoso Group had access to LoopPay’s corporate servers for five months before a third-party company stumbled upon signs of the breach. And in an attack on Forbes perpetrated by the Codoso Group last November, later forensics revealed the presence of resilient backdoors to the news organization’s infrastructure.
LoopPay has hired two private security teams to investigate the breach. The company hasn’t notified law enforcement because it believes “no customer data or financial information had been stolen,” the Times reports.
The hack is the latest in a series of Chinese attacks on high-profile U.S. targets. A breach of the U.S. Office of Personnel Management’s (OPM) network in June affected four million state employee records, and in 2011, a Chinese state-affiliated group managed to breach the U.S. Chamber of Commerce.