(CNN) - A security firm that had pointed the finger at a 17-year-old Russian last week updated its report Monday to identify a different Russian resident as being responsible for writing the malware used in an attack compromised the credit card numbers and other personal information of up to 110 million Target customers.
In a statement published Friday, security firm IntelCrawler said the breach was the result of malware that infected Target's payment system and possibly compromised the systems of other retailers. Neiman Marcus reported a similar security breach this month.
The 17-year old does not appear to be solely responsible for the attack. Independent security researcher Brian Krebs earlier reported that other code in the Target hack pointed to a Ukraine resident.
Experts say the author may have shared it with others.
"Well, we should be worried. One of the things the hackers do is take the malware as it's called. Once it's identified, then the security community can rally around it and put controls in place. But the problem is, the hackers know that. And they manipulate or mutate this malware, and then reuse it," SecureState CEO Ken Stasiak said.
"We believe that he originated the code, or the malware everybody's calling it now. And was able to put it up on the Internet for download for other hackers to then take, and potentially use it for malicious harm. And that's what we believe happened to Target and Neiman Marcus."
The first sample of the malware was created in March and since then, more than 40 versions have been sold around the world, IntelCrawler said. It first infected retailers' systems in Australia, Canada and the United States.
Andrew Komarov, IntelCrawler CEO, said most of the victims are department stores and said more BlackPOS infections as well as new breaches could appear soon. Retailers should be prepared.
"The numbers could be staggering, really, because what the retailers are looking at are potential class action lawsuits," CNN legal analyst Paul Callan said.
"Let's say hypothetically, a retailer has 40 million transactions by 40 million different customers. All 40 million may have been damaged in some way, and under law they can all be joined together in a class action lawsuit."
Thursday, April 24 2014 8:05 PM EDT2014-04-25 00:05:57 GMT
Michael Phelps is coming out of retirement, and his first event on the road back to glory is right here in the Valley. The 22-time Olympic medalist will compete in the Arena Grand Prix April 24-26, atMore >
Michael Phelps said in Mesa on Wednesday his love of swimming and thirst for competition led him to come out of retirement.More >
Wednesday, April 23 2014 9:42 PM EDT2014-04-24 01:42:05 GMT
Five top employees have been fired from Arizona's new child welfare agency. Director Charles Flanagan said these workers were responsible for the internal process that led to more than 6,500 abuse andMore >
Director Charles Flanagan said these workers were responsible for the internal process that led to more than 6,500 abuse and neglect cases being closed without investigations.More >
Thursday, April 24 2014 7:25 AM EDT2014-04-24 11:25:54 GMT
The pictures strewn about Ava Boyce's house are a constant but pleasant reminder of the "angel" she said she had for 18 years."He never got in trouble, he never lied," said Boyce, talking about her lateMore >
The pictures strewn about Ava Boyce's house are a constant but pleasant reminder of the "angel" she said she had for 18 years.More >
Thursday, April 24 2014 8:19 AM EDT2014-04-24 12:19:18 GMT
Five fired top level social workers are banding together and fighting to clear their names. This comes after a Department of Public Safety investigation held them responsible for creating a system whereMore >
Five fired top level social workers are banding together and fighting to clear their names. More >