Samsung has said that all customer data are safe, and its Samsung Pay system has not been affected after it was revealed that Chinese hackers breached the network of its U.S. subsidiary LoopPay in March.
The attack, which was uncovered in late August, targeted the company's office network, but Samsung claimed no customer data were at risk and the incident was dealt with "immediately and comprehensively" by LoopPay. Despite the attack taking place over six months ago, it only came to light Wednesday when the New York Times published a report which laid the blame for the attack on a hacking group known as the Codoso Group or Sunshock Group, which is said to be affiliated with the Chinese government.
The report suggests that the hackers were after the technology developed by the company rather than details of customers' payment transactions. The attack breached the security of three internal servers at LoopPay's offices in Woburn, Massachusetts.
LoopPay is a subsidiary of the South Korean electronics giant and handled mobile payments before the company introduced its proprietary Samsung Pay system earlier this year as a direct challenger to Apple Pay. LoopPay was acquired by Samsung in February for $250 million and the company has used its technology -- known as magnetic secure transmission or MST -- in its implementation of Samsung Pay.
A statement by the South Korean company said: "Samsung Pay was not impacted and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay office network, which is a physically separate network from Samsung Pay. The LoopPay incident was resolved and had nothing to do with Samsung Pay."
Samsung Pay launched in the U.S. just last week after a successful debut in South Korea where it racked up $30 million worth of purchases in just one month and is seen as a competitor for Apple Pay and Google's own Android Pay systems. Unlike its competitors, however, Samsung's use of MST technology gives it an advantage of allowing it to be used on older cash registers that support magnetic stripe cards.
The theft of intellectual property belonging to U.S. companies by Chinese hackers is a hot topic at the moment, after Washington called on Chinese President Xi Jinping to help prevent this during his recent state visit to the White House. The result of the summit was a range of agreements to help prevent these incidents, including the provision of a new high-level contact group and assurances to investigate complaints from each other -- and resolve them where possible.
The breach of LoopPay's internal network took place in March, but the company was only made aware of it in late August when the security company investigating the operations of the Codoso Group found information relating to LoopPay. The same group was also responsible for a sophisticated attack on the Forbes website earlier this year, which infected visitors to the website.
"They Will Come Back"
While Samsung says its new payment system has not been compromised, some security experts disagree, saying that once such an attack takes place, it is very difficult to remove the threat from your network. “Once Codoso compromises their targets -- which range from dissidents to C-level executives in the U.S. -- they tend to stay there for quite a long time, building out their access points so they can easily get back in,” John Hultquist, head of intelligence on cyber-espionage at iSight Partners, told the New York Times. “They’ll come back to a previous organization of interest again and again.”
Samsung, however, is confident its new system is safe and secure: "Each transaction uses a digital token to replace a card number. The encrypted token combined with certificate information can only be used once to make a payment. Merchants and retailers can’t see or store the actual card data," it said.
Speaking to International Business Times, Mark Bower, global director, enterprise data security for HP Data Security, said that this type of attack is all too common. "Any company today has to assume a breach will happen and take more advanced threat mitigation measures. The payments business has learned the lesson hard over the years, and embraced far more powerful approaches to data security than traditional perimeter and storage encryption provides."