Cyber Incident Victim: LoopPay
Date:
Mar 2015
Location:
United States of America
Summary
A Massachusetts-based subsidiary providing technology for Samsung Pay experienced a breach by Chinese state-affiliated hackers targeting its magnetic secure transmission (MST) intellectual property. The attackers infiltrated the corporate network but reportedly did not compromise payment systems or consumer data. Discovery occurred five months post-breach through an unrelated investigation, with forensic analysis ongoing. While the subsidiary and Samsung asserted prompt containment and no impact on payment services or user devices, security experts highlighted risks of persistent access due to the hacking group's known tactics of embedding backdoors. The incident coincided with Samsung Pay's U.S. launch amid competitive pressures in the mobile payment sector.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In March 2015, Chinese state-affiliated hackers known as Codoso Group or Sunshock Group breached the corporate network of LoopPay, a Burlington, Massachusetts-based subsidiary acquired by Samsung Electronics in February 2015 for over $250 million. The attackers targeted LoopPay’s magnetic secure transmission (MST) technology, a core component of Samsung Pay’s mobile payment system that emulates magnetic stripe cards to enable compatibility with older payment terminals. The intrusion persisted undetected for five months until late August 2015, when an unrelated investigation tracking Codoso Group’s activities uncovered LoopPay’s compromised data. Forensic analysis indicated the hackers infiltrated LoopPay’s corporate systems but did not access the separate production network handling payment transactions. LoopPay CEO Will Graylin and Samsung executives asserted no consumer payment data or personal devices were compromised, emphasizing that Samsung Pay’s infrastructure remained isolated from the breach.
LoopPay engaged two forensic firms on August 21, 2015—one month before Samsung Pay’s U.S. launch—to investigate the breach. One firm, Soteria, was removed after three days due to a contractual dispute over the scope of its analysis, though investigations continued with the unnamed second firm. Samsung proceeded with the U.S. rollout of Samsung Pay just 38 days after the breach was discovered, despite industry averages suggesting a 46-day remediation period for such incidents. Security experts cautioned that Codoso Group typically plants persistent backdoors in victim networks, citing their prolonged access in prior breaches like the 2011 U.S. Chamber of Commerce attack where hackers maintained footholds through peripheral devices. Samsung’s Chief Privacy Officer Darlene Cedres described the incident as resolved and isolated to LoopPay’s corporate network, with no impact on Samsung Pay’s security or consumer data. LoopPay opted against notifying law enforcement, citing no evidence of stolen customer or financial information. The disclosure emerged during a competitive phase for Samsung, which was launching Samsung Pay against Apple Pay while facing market pressure from lower-cost smartphone rivals like Xiaomi.