It’s been a rough winter for corporate chain stores. First, Target was hit with a massive cyber attack that exposed credit and debit card information for an initial estimate of 40 million people. Next, luxury clothing chain Neiman Marcus fell under a similar cyber attack, while Target’s estimate of impacted customers swelled first to 70 million people, then to 110 million. What has followed has been a mass flurry of identity theft, compromised credit cards, cancelled debit cards, and plentiful headaches for everyone involved. Suffice to say that, if you’re afraid to use your credit card in a store these days, you aren’t the only one.

Now however, a security company believes that it has identified the perpetrator behind the global cyberattack. According to a report published by the Washington Post on Friday, the security firm IntelCrawler has marked a Russian teenager as the source of the malicious software used in the attacks on Target and Neiman Marcus. IntelCrawler does not believe that the teenager, a 17-year-old in St. Petersburg, committed the cyber attacks himself. However, the teen was the author of the software that gave cyber criminals access to retail payment terminals, in turn supplying them with customer credit card information.

However, the fact that the source of the problem has been found will do little to correct the issue or save customers around the world from compromised payment information. On the contrary, IntelCrawler estimates that the software the Russian teen created – a program called BlackPOS – has been disseminated to as many as 60 cyber criminals or criminal groups throughout Eastern Europe. IntelCrawler expects that more retailers will discover their own security oversights in the coming weeks and months. In other words, the Target disaster could go down in history as merely the first headache in a much broader cybercrime problem. Supposedly, IntelCrawler has identified six additional breaches at other American retailers, but the security firm has not elaborated or revealed which retailers those may be.

While the BlackPOS software is undoubtedly a big problem for North American retailers and for any customers who frequently pay with credit or debit cards, IntelCrawler says that the bigger issue is that most retailers are still using laughably simplistic and easy-to-guess passwords to “protect” their servers. Without proper passwords or other protective measures, United States companies are sitting ducks for hackers, both foreign and domestic.

Meanwhile, the Russian teenager who developed the BlackPOS software is still at large and reportedly has a reputation among European coding black markets as a well-known and respected programmer.