PAX Technology announcement and resumption of trading
PAX Global Technology Limited (the “Company”, together with its subsidiaries, the “Group”) refers to a significant drop in the price of its shares (the “Shares”) since the opening of the morning trading session on The Stock Exchange of Hong Kong Limited (the “Stock Exchange”) on 27 October 2021. The Company applied for a trading halt which took effect from 10:56 a.m. on 27 October 2021 pending the issue of this announcement.
Having made such enquiry with respect to the Company as is reasonable in the circumstances, the Company confirms that it is not aware of any reasons (apart from possibly the matters disclosed below) for the drop in price or of any information which must be announced to avoid a false market in the Company’s securities or of any inside information that needs to be disclosed under Part XIVA of Securities and Futures Ordinance.
SEARCH WARRANT ON PAX US
On 26 October 2021 (Eastern Standard Time of the United States (the “U.S.”)), officers from the Federal Bureau of Investigation (FBI) and the Customs and Border Protection of the U.S. executed a court-authorized search to seize certain items at the Florida office and warehouse of Pax Technology, Inc. (“Pax US”), a wholly-owned subsidiary of the Company, and carried out interviews with certain employees of Pax US. The Group has not been informed of any statement issued by these authorities in connection with the subject matter, or the purpose of the search & interviews. The Board of Directors of the Company (the “Board”) is not aware of any charge having been filed against the Group in relation to such incident.
Pax US has resumed normal operations. While the publicity surrounding the search, and the media articles referred to below, have attracted interest and enquiries from the Group’s business partners, amongst others, the Group has not observed any material adverse change to its operations and/or business. Based on the facts and circumstances currently known, the Company does not envisage any material financial impact on the Group. The Group will continue to focus on delivering products and services to its customers and uphold the highest product standards in its business operation.
MEDIA REPORTS
Two articles came to the attention of the Board, prior to the release of this announcement, one dated 26 October 2021 entitled “FBI Raids Chinese Point-of-Sale Giant Pax Technology” published on the “KrebsOnSecurity.com” blog (which appears to be based in the U.S.) (the “KrebsOnSecurity Article”), and the other dated 28 October 2021 entitled “FIS’s Worldpay Replaces PAX Terminals Over Security Concerns” published on Bloomberg (the “Bloomberg Article”), as well as certain other media reports in connection with those articles.
For potential investors and shareholders of the Company (the “Shareholders”), the Company would like to provide clarification below in relation to certain statements included in the KrebsOnSecurity Article and the Bloomberg Article.
1. The KrebsOnSecurity Article stated that:
“KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.”
“According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” - a repository for malicious files - and as “command-and-control” locations for staging attacks and collecting information.”
“"My sources say that there is tech proof of the way that the terminals were used in attack ops.” the source said.”
The Company notes the KrebsOnSecurity Article did not provide particulars of any such “reports”. It only referred to a second hand hearsay quote from the “source” of the writer that referred to other unnamed sources that “there is tech proof of the way that the terminals were used in attack ops ”. The KrebsOnSecurity Article also went on to say that specific details were not available.
The Group’s products and services are subject to, and are certified to be compliant with, the Payment Card Industry (PCI) compliance standards and all relevant laws and mandatory regulations of countries worldwide. They are therefore designed to achieve the requisite industry standards for certain cybersecurity (including online security in connection with malicious software). Similar to other reputable industry peers, the Group has always taken, and continues proactively to take, the initiative to enhance security standards of its products both generally and in collaboration with its customers and external third-party test laboratories to carry out product certifications, software penetration testing and other stringent security-related controls, where appropriate, carry out necessary fixing and mitigating measures in a timely manner.
As far as the Board is aware based on due enquiries, as of the date of this announcement, there have neither been any reported cyberattack incidents nor cyberattack complaints, including any breach of security protocols, against PAX products and services anywhere in the world.
2. The KrebsOnSecurity Article and the Bloomberg Article stated respectively, that:
“.... KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.”
“A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”
“The source said two major financial providers – one in the United States and one in the United Kingdom – had already begun pulling PAX terminals from their payment infrastructure...”
“.... the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software.”
“.... told Bloomberg the company confirmed that it no longer deploys PAX point-of-sale devices “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation.”
The Company notes that the KrebsOnSecurity Article did not identify the “major U.S. payment processor” or the “two major financial providers” but did mention “FIS Worldpay” in an update published on 27 October 2021 with reference to the Bloomberg Article.
Fidelity National Information Service, Inc. (“FIS”), a U.S. based financial products and services provider, and its affiliate based in the United Kingdom (the “U.K.”), namely Worldpay, Inc. (“Worldpay”) discontinued their deployment of PAX terminals in the U.S. and the U.K. in early October 2021. The Company estimates that the revenue attributable to FIS and Worldpay and the distributors that sell the Group’s products to FIS and Worldpay for the year ended 31 December 2020 amounted to approximately HK$ 14 million (circa USD 1.8 million), representing approximately 0.25% of the total revenue of the Group for that year. On this basis, the ceasing of purchases of PAX terminals by FIS and Worldpay should not have any material adverse impact on the Group.
The Group diligently addressed and responded to routine cybersecurity related questionnaires from FIS and Worldpay in the ordinary course of operations. The Group believes that it had properly addressed the enquiries from FIS and Worldpay regarding the PAX payment terminals, including functions that can affect the volume of data transmission which may have been regarded as “unusual network packets”. FIS and Worldpay have also been supplied with information of server locations of all PAX provided applications on its payment terminals which operate on an Android-based operating system. The Group’s point-of-sale devices which run Android-based operating systems, connect only with servers (as opposed to websites) of application providers listed in its supplied documentation. To the extent that a server uses “dynamic Internet Protocol (IP) addresses”, which is what other reputable industry peers and technology giants also use to provide better user experience, it would be almost impossible for the Group to produce every and all IP addresses adopted by that server.
Data that is transmitted by PAX terminals (as formatted in the form of “data packets” or “network packets”) would typically include not only payment data but also other data in connection with the applications installed on the payment terminals (e.g. geolocation, loyalty programmes and/or online ordering applications) and “telemetry data” that relates to data and memory usage by the central processing unit (CPU) of the payment terminal and includes “data packets” or “network packets” containing software updates for such functions. Therefore, depending on how consumer businesses (where the Group’s payment terminals are typically deployed) are operated and the configuration of communication of the applications with host, “data packets” or “network packets” sizes can vary and be larger than what basic payment data would involve.
RESUMPTION OF TRADING
At the request of the Company, trading of shares of the Company was halted with effect from 10:56 a.m. on 27 October 2021. Application has been made by the Company to the Stock Exchange for the resumption of trading of the Shares of the Company with effect from 9:00 a.m. on 1 November 2021.
Shareholders and potential investors of the Company should exercise caution when dealing in the securities of the Company. The Company will make further announcement(s) in relation to the matters disclosed in this announcement as and when appropriate.
By Order of the Board
PAX Global Technology Limited
Cheung Shi Yeung - Company Secretary
Hong Kong, 29 October 2021
As at the date of this announcement, the Board comprises three executive Directors, namely Mr. Nie Guoming, Mr. Lu Jie and Mr. Li Wenjin; and three independent non-executive Directors, namely Mr. Yip Wai Ming, Dr. Wu Min and Mr. Man Kwok Kuen, Charles.