A Russian teenager was the author of the malware used to hack US retailer Target's payment system to collect payment card details of about 70 million customers, according to Cyber security firm IntelCrawler.
The Los-Angeles based cyber intelligence company said the creator of inexpensive "off the shelf" malware known as BlackPOS that was also used to attack retailer Neiman Marcus is close to 17 years old.
According to operative information from IntelCrawler, the person with the nickname "ree" is Sergey Taraspov, having roots in St. Petersburg and Nizhniy Novgorod (Russian Federation).
The first sample of the malware was created in March 2013, and was used for the first time at online retailers in Australia, Canada and the US. Subsequently, the author sold more than 60 versions of the software to cybercriminals in Eastern Europe and other countries.
IntelCrawler CEO Andrew Komarov said his company has identified six additional breaches at other retailers across the US. He did not identify the affected retailers.
"Most of the victims are department stores. More BlackPOS infections, as well as new breaches can appear very soon, retailers and security community should be prepared for them", Komarov said in a statement.
Komarov told Reuters that IntelCrawler has alerted law enforcement, Visa Inc and intelligence teams at several large banks about the findings. The news agency added, citing sources, that at least three other well-known national retailers have been attacked.
The findings indicate that the cyber attacks at the third-largest US retailer Target and upscale department store Neiman Marc are part of a wider attack on online payment systems across the globe.
Target discovered a major security breach in December 2013. Payment data from about 40 million credit and debit cards were stolen from Christmas shoppers at its stores over 19 days between 27 November and 15 December.
It has since been revealed that a further 70 million customer records with sensitive information such as names, telephone numbers and email addresses were also stolen.
Target has confirmed that cybercriminals used malware installed on Target's point-of-sale (PoS) cash register systems to siphon off the data.
In an open letter published in several US newspapers, Target's CEO Gregg Steinhafel has apologised for the data breach and vowed to cover all fraudulent charges arising from the breach.
Neiman Marcus has also disclosed that it suffered a similar cyber attack, but did not reveal the number of customers affected.
Both companies have said the federal authorities are investigating the data breach.