Samsung’s LoopPay breached by hackers but mobile payments data is safe says Samsung
LoopPay, the U.S.-created mobile payment system that was acquired by Samsung in February was the target of a hacker attack in March, revealed a report on Wednesday. LoopPay is the developer behind one of Samsung Pay’s core technologies that stores a lot of valuable data behind its virtual walls.
According to reports from The New York Times, a team of hackers who executed the attack as early as March on the South Korea-based company appear to be from China, known as the Codoso Group who managed to gain access to LoopPay’s corporate network. The incident was framed as a case of international, possibly corporate, espionage, rather than just another hack. The breach was discovered in August, giving the hackers a full five months access to the network.
Unlike Apple Pay and Android Pay, LoopPay uses magnetic secure transmission (MST), a radio-based mechanism that wirelessly emulates a credit card swipe. While most tap-and-pay mobile wallets require a point-of-sale system with near-field communication (NFC) capabilities, Samsung says MST works with “90 percent” of legacy terminals in use by U.S. retailers.
Speaking to The New York Times, LoopPay said that the ongoing investigation had found no evidence that the hackers accessed sensitive customer data. Will Graylin, LoopPay chief and co-general manager of Samsung Pay, told the Times that the group was not able to breach the system that stores payment information, which was echoed by Samsung executives.
“Samsung Pay was not impacted and at no point was any personal payment information at risk,” told Darlene Cedres, Samsung’s chief privacy officer in a statement. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network from Samsung Pay. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay. Samsung is extremely committed to securing and protecting user data to the highest industry standards.”
Nevertheless, the news of the attack comes less than two weeks after Samsung Pay’s launch in the United States.
According to Samsung, no personal payment information was ever at risk. Instead, it appears the hackers were after details on LoopPay’s MST technology. The company has not alerted law enforcement officials about the breach due to the fact that no customer or financial data was stolen.
“As soon as the incident was discovered, LoopPay followed their standard incident response procedures and acted immediately and comprehensively. LoopPay brought in two independent professional security teams,” reads the Samsung’s blog post. “Again, Samsung, Samsung Pay, and Samsung users were not affected.”
Samsung Pay was launched 38 days after the hack was discovered in the U.S. According to the Ponemon Institute, which tracks such events said that on an average, it takes 46 days for a hacker attack to be fully resolved.
Samsung had acquired LoopPay to take on its competitors, Apple Pay and Android Pay. It is likely to reach European markets in the due course of time, as the service has got MasterCard Digital Enablement system integrated.
