SitusAMC Supplemental Data Breach Notice, 20,456 WA Residents Affected

The Atlantic Building 950 F Street, NW Washington, DC 20004-1404 202-239-3300 | Fax: 202-239-3333 Kimberly Peretti Direct Dial: 202-239-3720 kimberly.peretti@alston.com

CONFIDENTIAL VIA EMAIL Office of the Washington Attorney General SecurityBreach@atg.wa.gov Re: Supplemental Notice of Data Security Incident To the Office of the Washington Attorney General: We are writing on behalf of SitusAMC Holdings Corporation ("SitusAMC") to supplement our prior submission to your office dated February 20, 2026 (Submission Number A36744), regarding a data security incident and related notifications to Washington residents. As previously described, due to the complexity of the underlying data and client relationships, SitusAMC proceeded with individual notifications in advance of final client attribution. The individual notification process has now concluded. All notice letters SitusAMC expects to send to potentially affected individuals on behalf of its clients have been mailed, with the final mailing completed on March 10, 2026. In total, 20,456 Washington residents have been notified by first-class mail regarding this incident, in accordance with notification requirements under the Gramm‑Leach‑Bliley Act and applicable state law. A representative copy of the individual notice letters provided to affected Washington residents is enclosed. At this time, SitusAMC's client attribution process remains ongoing. To the extent any SitusAMC clients subsequently provide direction regarding state Attorney General notifications, SitusAMC will follow up as appropriate with an accounting of those clients and the final number of attributed individuals in your state. All other details regarding the incident, the categories of information potentially involved, and the remedial measures offered to affected individuals remain as described in SitusAMC's prior submission.

Alston & Bird LLP www.alston.com

Atlanta | Brussels | Century City | Charlotte | Chicago | Dallas | London | Los Angeles | New York | Raleigh | San Francisco | Silicon Valley | Washington, D.C.

Re: Supplemental Notice of Data Security Incident

If you have any questions regarding this incident or if you desire further information or assistance, please email me at Kimberly.Peretti@alston.com or call my direct line at (202) 239-3720.

Kimberly Peretti Enclosures

RecordIndicator000001

Based on our investigation, the personal information involved may have included your name, address, date of birth, < > driver's license number or other government-issued identifier, and/or financial account information (such as bank account number or credit or debit card number). < > Not all data elements were involved for each individual.

enrollment using your Enrollment Code: < >. Please note the deadline to enroll is June 10, 2026.

SitusAMC

Equifax Experian

General.

RecordIndicator000098

Parent or Legal Guardian of:

March 4, 2026

To the Parent or Legal Guardian of < > < >: We are writing to notify you of a recent incident that may have impacted your child's personal information. SitusAMC

and the resources we are making available to your child. At this time, we are not aware of any fraudulent use of your child's personal information as a result of this incident.

child's personal information may have been involved.

Based on our investigation, the personal information involved may have included your child's name, address, date of birth, and Social Security number or individual taxpayer identification number. < >

incident, we are offering identity protection services for your child through IDX, the data breach and recovery services expert. IDX identity protection services include: 24 months of CyberScan monitoring, a $1,000,000 insurance issues if your child's identity is compromised. To activate these services, please take the following steps:

enrollment using your child's Enrollment Code: < >. Please note the deadline to enroll is June 4, 2026.

knowledgeable representatives about the appropriate steps to take to protect your child's credit identity. We encourage you to review and monitor account statements for suspicious activity. Federal regulatory agencies recommend that you remain vigilant for the next 12 to 24 months and immediately report any suspected incidents of fraud to us or the relevant financial institution. We would also encourage you to avoid clicking on links or downloading attachments from suspicious emails and to be cautious of any unsolicited communications that ask for your personal information or refer you to a website asking for personal information.

consider taking to protect your child against fraud and identity theft.

Legal/Regulatory Office. To help our care team respond promptly, please include your full name and child's name, a phone number where you can be reached, and a brief description of your question or the assistance you are requesting.

SitusAMC

Equifax Experian

General.

RecordIndicator000008

Based on our investigation, the personal information involved may have included your name, address, < >.

enrollment using your Enrollment Code: < >. Please note the deadline to enroll is June 10, 2026.

SitusAMC

Equifax Experian

RecordIndicator001728

Parent or Legal Guardian of:

To the Parent or Legal Guardian of < > < >: We are writing to notify you of a recent incident that may have impacted your child's personal information. SitusAMC

information in connection with mortgage transactions. < > This letter explains the circumstances as we understand them and the resources we are making available to your child. At this time, we are not aware of any fraudulent use of your child's personal information as a result of this incident.

child's personal information may have been involved.

Based on our investigation, the personal information involved may have included your child's name, address, < >.

incident, we are offering identity protection services for your child through IDX, the data breach and recovery services expert. IDX identity protection services include: 24 months of CyberScan monitoring, a $1,000,000 insurance issues if your child's identity is compromised. To activate these services, please take the following steps:

enrollment using your child's Enrollment Code: < >. Please note the deadline to enroll is June 10, 2026.

knowledgeable representatives about the appropriate steps to take to protect your child's credit identity. We encourage you to review and monitor account statements for suspicious activity. Federal regulatory agencies recommend that you remain vigilant for the next 12 to 24 months and immediately report any suspected incidents of fraud to us or the relevant financial institution. We would also encourage you to avoid clicking on links or downloading attachments from suspicious emails and to be cautious of any unsolicited communications that ask for your personal information or refer you to a website asking for personal information.

consider taking to protect your child against fraud and identity theft.

Legal/Regulatory Office. To help our care team respond promptly, please include your full name and child's name, a phone number where you can be reached, and a brief description of your question or the assistance you are requesting.

SitusAMC

Equifax Experian

RecordIndicator000001

February 20, 2026

Based on our investigation, the personal information involved may have included your name, address, date of birth, < > driver's license number or other government-issued identifier, and/or financial account information (such as bank account number or credit or debit card number). < > Not all data elements were involved for each individual.

enrollment using your Enrollment Code: < >. Please note the deadline to enroll is May 20, 2026.

SitusAMC

Equifax Experian

General.

RecordIndicator172684

February 20, 2026

Based on our investigation, the personal information involved may have included your name, address, < >.

enrollment using your Enrollment Code: < >. Please note the deadline to enroll is May 20, 2026.

SitusAMC

Equifax Experian