(Bloomberg) – By PAX Global Technology Ltd. Manufactured point-of-sale devices transmitted encrypted data to unknown third parties in China, said the US Treasury Department.
Most read by Bloomberg
Agency partners conducted laboratory tests on PAX devices and found they would be sending transmissions that a letter received from Bloomberg News said “unnecessary for normal payment processing” and sent to financial services companies in the Treasury for cybersecurity and critical infrastructure protection. The transfers were more frequent and larger than normal payment transactions, the agency said.
“The Treasury Department’s preliminary assessment is that data transmission through these devices indicates possible risks to the confidentiality of customer data,” an agency spokesman said in a statement sent via email. “We do not believe that these devices pose unique risks to data integrity or service availability.”
A spokesman for PAX Technology Inc., a unit of PAX Global, dismissed the security concerns as “unspecified rumors” and said the company had not been made aware of specific security issues with its systems, products, or services.
“Nevertheless, we continue to actively monitor our systems for possible threats, as we are committed to providing secure and high-quality systems and solutions,” said the spokesman. “To add extra security for our customers, we have further strengthened our team with industry-leading security experts to validate our security controls and infrastructure.”
PAX Global’s corporate headquarters are in Hong Kong and its operational headquarters are in Shenzhen, China, according to the website. It manufactures terminals that process millions of transactions in stores around the world. According to its own information, the company has delivered 57 million terminals to more than 120 countries.
In this week’s letter, the Treasury Department said there was no known attempt by PAX to use its devices for disruptive or destructive purposes. The agency said it does not believe PAX’s devices pose unique network security risks and that the loss of compromised consumer data poses “a low-severity threat to the US financial sector.”
“OCCIP encourages US financial system stakeholders to take a risk-based approach to protecting the privacy of their customers’ data, the integrity of their networks, and the availability of their services,” the Treasury Department said in a letter. “Banks and financial service providers should apply this risk-based approach to their supply chains.”
On October 26th, the FBI and other federal agencies raided PAX Technology’s Florida offices. “The investigation remains active and ongoing and no additional information can be confirmed at this time,” said Amanda Videll, a spokeswoman for the FBI.
Prior to the FBI raid, financial technology company FIS began replacing terminals manufactured by PAX “because it did not receive satisfactory responses from PAX regarding its point-of-sale devices connecting to websites not listed in the documentation provided,” according to the company a speaker. The FIS did not find any evidence of data being compromised, the spokesman said.
Most read by Bloomberg Businessweek
© 2021 Bloomberg LP
