PAX devices sent data to Chinese third parties, Treasury warns


(Bloomberg) – Point of sale devices manufactured by PAX Global Technology Ltd. were transmitting encrypted data to unknown third parties in China, the US Treasury Department said.

Bloomberg’s Most Read

Agency partners performed lab tests on PAX devices and found they would send transmissions “unnecessary to normal payment transaction processing,” according to letter obtained by Bloomberg News and sent to financial services companies of the Cyber ​​Security Office of the Treasury and Critical Infrastructure Protection. Transmissions took place more often and were larger than normal payment transactions, the agency said.

“The Treasury’s preliminary assessment is that the transmission of data through these devices indicates the possibility of risks to the privacy of customer data,” a spokesperson for the agency said in an emailed statement. “We don’t believe these devices pose unique risks to data integrity or service availability. “

A spokesperson for PAX Technology Inc., a unit of PAX Global, called the security concerns “unspecified rumors” and said the company had not been made aware of specific security issues with its systems, products. or services.

“Nonetheless, we continue to actively monitor our systems for possible threats, as we are committed to providing secure and quality systems and solutions,” said the spokesperson. “As an added level of assurance for our customers, we have further strengthened our team with leading security experts to help validate our security controls and infrastructure. “

PAX Global is headquartered in Hong Kong and its operational headquarters are in Shenzhen, China, according to its website. It manufactures terminals that process millions of transactions in stores around the world. According to the company, it has supplied 57 million terminals in more than 120 countries.

In this week’s letter, the Treasury said it was not aware of any attempt by PAX to use its devices for disruptive or destructive purposes. The agency said it does not believe PAX’s devices pose unique risks to network security, and that the loss of data from at-risk consumers poses “a low-severity threat to the US financial industry.”

“OCCIP encourages stakeholders in the US financial system to take a risk-based approach to protecting the privacy of their clients’ data, the integrity of their networks and the availability of their services,” the Treasury Department said. in the letter. “Banks and financial service providers should apply this risk-based approach to their supply chains. “

On October 26, the FBI and other federal agencies raided the PAX Technology offices in Florida. “The investigation remains active and ongoing and no further information can be confirmed at this time,” said Amanda Videll, spokeswoman for the FBI.

Prior to the FBI raid, financial technology firm FIS began replacing terminals manufactured by PAX “because it did not receive satisfactory responses from PAX regarding its point-of-sale terminals connecting to non-web sites. listed in the documentation provided, “according to a spokesperson. FIS found no evidence that the data was compromised, the spokesperson said.

Bloomberg Businessweek Most Read

© 2021 Bloomberg LP


Leave A Reply