PAX Devices Sent Data to Chinese Third Parties, Treasury Warns

(Bloomberg) -- Point-of-sale devices manufactured by PAX Global Technology Ltd. were transmitting encrypted data to unknown third parties in China, the U.S. Treasury Department said.

Partners of the agency conducted lab tests on PAX devices and found they would send transmissions that were “superfluous to normal payment transaction processing,” according to a letter obtained by Bloomberg News, and sent to financial-services companies from the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection. The transmissions happened more often and were larger in size than normal payment transactions, the agency said. 

“Treasury’s preliminary assessment is that data transmission by these devices indicates the possibility of risks to customer data confidentiality,” a spokesperson for the agency said in an emailed statement. “We do not believe that these devices present unique risks to data integrity or service availability.”

A spokesman for PAX Technology Inc., a unit of PAX Global, dismissed the security concerns as “unspecified rumors” and said the company hadn’t been notified of specific security issues with its systems, products or services.

“Nonetheless, we continue to actively monitor our systems for possible threats because we are committed to providing secure and quality systems and solutions,” the spokesman said. “As an added layer of assurance for our customers, we have further enhanced our team with industry-leading security experts to help validate our security controls and infrastructure.”

PAX Global’s corporate headquarters is in Hong Kong, and its operational headquarters is in Shenzhen, China, according to its website. It makes terminals that process millions of transactions in stores worldwide. According to the company, it has supplied 57 million terminals to more than 120 countries.

Read more: PAX Security Executive Resigns a Day After FBI Raids on Offices

In the letter this week, Treasury said it isn’t aware of any attempt by PAX to use its devices for disruptive or destructive purposes. The agency said it doesn’t believe PAX’s devices pose unique risks to network security, and loss of at-risk consumer data represents “a low-severity threat to the U.S. financial sector.”  

“OCCIP encourages stakeholders in the U.S. financial system to adopt a risk-based approach to protecting the confidentiality of their customers’ data, the integrity of their networks, and the availability of their services,” the Treasury Department said in the letter. “Banks and financial service providers should apply this risk-based approach to their supply chains.”

On Oct. 26, the FBI and other federal agencies searched the Florida offices of PAX Technology. “The investigation remains active and ongoing and no additional information can be confirmed at this time,” said Amanda Videll, an FBI spokeswoman.

Prior to the FBI’s raid, financial technology company FIS began replacing terminals made by PAX “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation,” according to a spokesman. FIS didn’t find evidence that data was compromised, the spokesman said.

©2021 Bloomberg L.P.