Update on PAX U.S. Commissioned Independent Investigation on Network Communications of PAX Terminals

December 14, 2021

PAX Global Technology Limited (the “Company”, together with its subsidiaries, the “Group”) refers to the Company’s announcement dated 29 October 2021 (the “October Announcement”). Terms defined in the October Announcement have the same meanings when used in this announcement.

INDEPENDENT INVESTIGATION ON NETWORK COMMUNICATIONS OF PAX TERMINALS

Further to the October Announcement, Pax US has commissioned an independent investigation into the network communications of PAX terminals by Unit 42 by Palo Alto Networks, Inc. (“Unit 42”), an independent third party based in the U.S.. Unit 42 was tasked with collecting and analysing network traffic transferred to/from PAX terminals while they were in use to determine the details of the network traffic, specifically whether there was any unauthorised data transfer, malicious traffic or events.

FINDINGS

After reviewing the network traffic from PAX terminals, Unit 42 has reported that it has found no instances of transmission of cardholder or other consumer information to any destination other than the payment processor.

Unit 42 reported that the network traffic reviewed was consistent with the intended features of the associated services of PAX terminals. Unit 42 also concluded that there were no unexplained network traffic in the course of its comprehensive and thorough inspection. The activity associated with the initial sign-in, transmission of cellular information, and/or information about the installed applications was unique for each PAX terminal. Therefore, packet sizes can vary, depending on, among others, the individual configuration of the PAX terminals. In other words, there was no finding of unusual “data packets” or “network packets” referred to in the KrebsOnSecurity Article.

Unit 42 analysed the IP addresses and hostnames involved with the network traffic observed from PAX terminals. Taking into consideration all the analyses and results, Unit 42 did not identify any malicious traffic or events in the network activity reviewed. In other words, following the Unit 42’s report, the Company is still not aware of any finding of PAX terminals being involved in “cyberattacks”, used as malware “dropper” and as “command-and-control” locations referred to in the KrebsOnSecurity Article.

TEST ENVIRONMENT

Unit 42 was engaged to test and analyse network traffic to/from PAX terminals, using among others, penetration testing tool, vulnerability assessment tool and network traffic inspection tool. In its investigation, Unit 42 reviewed 15 PAX terminals that comprised three of PAX’s most popular Android-based models that were representative of the majority of PAX’s customer base within North America for Android-based devices, assorted in terms of memory sizes, scanner modules and accessories. When PAX terminals are in use, they transmit network data to communicate with servers that are managed by PAX as well as certain third- party service providers. Such network data is used for authentication and synchronisation and to check for updates. Network data sent to third-party service providers would include information about cellular data and the Wi-Fi networks within the accessible range of the PAX terminal, allows the return of the device’s approximate geographical location.

INFORMATION OF PALO ALTO NETWORKS, INC. AND UNIT 42

Palo Alto Networks, Inc. is a global cybersecurity provider offering cybersecurity products and solutions. Unit 42 by Palo Alto Networks, Inc. is an industry leader in threat intelligence, threat hunting, malware analysis and triage and reverse engineering which carries out deep digital forensic analysis and investigations. Hailing from U.S. government agencies, law enforcement and global security firms, Unit 42 consultants have handled some of the largest data breaches in history. Its teams have conducted thousands of cyber risk evaluations and worked with organizations across the globe to identify and mitigate cyberthreats.

UPDATE ON SEARCH WARRANT AGAINST PAX US

To the best knowledge of the directors of the Company, there has been no development in relation to the search warrant against Pax US since the October Announcement.

By Order of the Board

PAX Global Technology Limited
Cheung Shi Yeung
Company Secretary

Hong Kong, 14 December 2021

As at the date of this announcement, the Board comprises three executive Directors, namely Mr. Nie Guoming, Mr. Lu Jie and Mr. Li Wenjin; and three independent non-executive Directors, namely Mr. Yip Wai Ming, Dr. Wu Min and Mr. Man Kwok Kuen, Charles.