When LoopPay was acquired by Samsung in February, it looked like a quick way to build a payments system from scratch — but Samsung may have been buying more than it realized. According to a new report from The New York Times, LoopPay’s internal networks were breached by a China-based hacker group as early as March. Crucially, the attack does not appear to have breached the system that handles payments, so there’s no reason to believe user data is at risk. Instead, LoopPay executives believe the attackers were after the technology that powers the payment system, which transmits payment information with an encrypted magnetic signal sent from a coil built into the phone itself.
In a statement, Samsung reiterated that no user data was compromised, saying, “Samsung Pay was not impacted and at no point was any personal payment information at risk. This was an isolated incident that targeted the LoopPay corporate network, which is a physically separate network from Samsung Pay.”
The compromise came from the same attack that compromised Forbes.com in February, seeding malware through the site’s Thought of the Day feature. As it turns out, that compromise was the first stage in a broader attack, which ultimately resulted in unauthorized access to LoopPay’s internal managerial network. Notably, LoopPay learned of the breach just 38 days before Samsung Pay was rolled out to customers.
If current impressions of the breach bear out, it would be the latest in a string of China-based economic espionage attacks aimed at companies in the US, ranging from phone antennas to corn seeds. Congress has responded to the increasingly common thefts with the Defend Trade Secrets Act, which would increase federal penalties and prosecutorial power for such crimes, although critics say the bill could give rise to dangerous overreach.