Beth Belton, USA TODAY
The malware behind data breaches at Target and Neiman Marcus during the holiday shopping season came from a 17-year-old Russian national, according to published reports over the weekend.
MarketWatch, a financial news and commentary website, and the websites of the New York Daily News and The Washington Post said Intelcrawler, a California-based Internet security firm, identified the creator of the malicious software. His name has not yet been published.
An Intelcrawler blog post late Friday said the teenager, who is from St. Petersburg, wrote the programming code that enabled personal information, including credit card data, emails and home addresses to be obtained from millions of shoppers at Target and Neiman Marcus in late December.
He allegedly sold the malware, dubbed BlackPOS, according to the published reports, to cybercriminals in eastern Europe, who have not been identified. Intelcrawler CEO Andrew Komarov said the software enabled the identity thieves to remotely hack into the retailers' electronic cash registers and obtain the personal information of shoppers.
Komarov also said that the malware has been downloaded some 60 times, according to the published reports, raising the possibility that other retailers besides Target and Neiman Marcus were hacked in recent weeks or might be at risk of being hacked in the future.
Target, the nation's second-largest retailer, has apologized for the security breach, which it said affected up to 110 million shoppers. Neiman Marcus has not said how many customers were affected by its breach, though several security analysts have said they believe it was at least 1 million shoppers.
State and federal officials, including the Secret Service, have launched an extensive investigation into the Target and Neiman Marcus breaches.