Chinese hackers breach Samsung Pay tech subsidiary

Chinese hackers infiltrated a key Samsung subsidiary that provides the technology backbone of its new mobile payment service, The New York Times reports.

The hackers appear to have been after the company’s magnetic secure transmission (MST) technology, which is a critical feature of Samsung Pay, LoopPay executives told the Times.


LoopPay CEO Will Graylin said that the attackers broke into LoopPay’s corporate networks but that there is no indication that Samsung itself was breached or that consumer data was exposed.

“Samsung Pay was not impacted and at no point was any personal payment information at risk,” Darlene Cedres, Samsung’s chief privacy officer, said in a statement. “This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network. The LoopPay corporate network issue was resolved immediately and had nothing to do with Samsung Pay.”

Samsung acquired the Burlington, Mass.-based startup for over $250 million in February, a month before the hackers likely gained entry.

Its MST technology allows Samsung Pay to work with older cash registers by imitating a magnetic stripe card, something competitors from Apple and Google don’t do.

The breach was uncovered in late August but did not delay the public debut of Samsung Pay last week.

Executives have not disclosed the breach to law enforcement, they say, because they do not believe consumer data was affected.

Security experts have pinned the blame on a Chinese group known as the Codoso Group, or Sunshock Group. Known for maintaining an extended presence in infiltrated networks, the Codoso Group was inside LoopPay’s system for five months before it was discovered.

The report of the hack comes just weeks after the United States and China reached an agreement to halt corporate hacking for economic gain.

The two nations agreed to “step up crime cases, investigation assistance and information sharing,” Chinese President Xi Jinping said. “Both governments will not engage in or support online theft of intellectual property.”

The remarks came during the Chinese leader’s first official state visit, which was overshadowed by ongoing allegations that Beijing has either tacitly or explicitly condoned hacks on U.S. firms.

Whether the agreement will stem the barrage of cyberattacks originating in China remains to be seen. Both the White House and lawmakers expressed skepticism that Beijing will keep its promise.

“What I’ve said to President Xi and what I say to the American people, the question now is: Are words followed by actions?” President Obama said in a press conference announcing the deal. “We will be watching carefully to make an assessment as to whether progress has been made in this area.”

Graylin brushed off concerns that any stolen trade information could be used to create a copycat product, noting that LoopPay could file a patent lawsuit. He added that such action would likely be moot, because it assumes that major banks and credit card companies would be willing to do business with the copycat.