North Dakota Data Breach Notification - ShareThis

Edward J. Finn Office: (267) 930-4776 Fax: (267) 930-4771 Email: efinn@mullen.law 1275 Drummers Lane, Suite 302 Wayne, PA 19087Mullen.law February 28, 2019 VIA E-MAIL & U.S. 1ST CLASS MAIL Office of the Attorney General Consumer Protection and Antitrust Gateway Professional Center 1050 E Interstate Avenue Suite 200 Bismarck, ND 58503-5574 Email: ndag@nd.gov Re: Notice of Data Event Dear Sir or Madam: We represent ShareThis, Inc. (“ShareThis”) located at 4005 Miranda Avenue, Suite 100, Palo Alto, CA 94304-1227 and are writing to notify your office of an incident that may affect the security of some personal information relating to an unknown number of North Dakota residents. This notice may be supplemented with any new significant facts learned subsequent to its submission. By providing this notice, ShareThis does not waive any rights or defenses regarding the applicability of North Dakota law, the applicability of the North Dakota data event notification statute, or personal jurisdiction. Nature of the Data Event On February 11, 2019, ShareThis became aware that it suffered a data security incident when it was informed that The Register published a story indicating that 16 companies, including ShareThis, were the victims of a data theft. ShareThis believes the incident occurred in July 2018. Based on its initial investigation, ShareThis believes the information that could have been subject to unauthorized access includes names, email addresses, hashed passwords and some birth dates. Unfortunately, this incident only came to light when The Register reported that the bad actor posted the data for sale on the dark web. However, ShareThis has no indication that any of the potentially affected information has been used by the bad actor or other unauthorized individual.

Office of the Attorney General February 26, 2019 Notice to North Dakota Residents Beginning on February 28, 2019, ShareThis began to provide written notice of this incident to all affected individuals, which includes an unknown number of North Dakota residents. Written notice is being provided in substantially the same form as the letter attached here as Exhibit A. ShareThis is also posting notice to its website and alerting state wide media in substantially the same form as the documents attached here as Exhibits B and C. The database at issue, which is cloud hosted, did not include address information, so ShareThis does not know the residence of the potentially affected individuals. Other Steps Taken and To Be Taken Upon discovering the event, ShareThis moved quickly to investigate and respond to the incident, assess the security of its systems, and notify potentially affected individuals. ShareThis deactivated all potentially impacted accounts so they could not be accessed. Additionally, ShareThis is providing impacted individuals with guidance on how to better protect against identity theft and fraud, including advising individuals to change account passwords. Although no financial information was impacted, ShareThis is also providing individuals with information on how to place a fraud alert and security freeze on one's credit file, information on protecting against tax fraud, the contact details for the national consumer reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports, and encouragement to contact the Federal Trade Commission, their state Attorney General, and law enforcement to report attempted or actual identity theft and fraud. Contact Information Should you have any questions regarding this notification or other aspects of the data security event, please contact us at (267) 930-4776. Very truly yours, Edward J. Finn of MULLEN COUGHLIN LLC EJF:ncl Enclosure

EXHIBIT A

From: mail@msgbsvc.com on behalf of ShareThis Sent: Tuesday, February 26, 2019 4:08 PM To: DL-Data Breach Team Subject: HTML Sample -- Notice of Data Breach CAUTION: This email originated from outside of Epiq. Do not click links or open attachments unless you recognize the sender and know the content is safe. To help privacy , Microsoft Office prevented automatic from the Internet.Hello, At ShareThis, protecting the security of the information in our possession is a responsibility we take very seriously. We write to notify you of a data security incident that may have exposed some of your personal information. This notice explains the incident and steps ShareThis has undertaken to address it. In addition, we provide guidance below on what you can do to protect your personal information. What Happened?On February 11, 2019, ShareThis became aware that it suffered a data security incident when it was informed that The Register published a story indicating that 16 companies, including ShareThis, were the victims of a data theft. We can tell from our initial investigations that email addresses, hashed passwords and some birth dates were impacted. The incident, unfortunately, only came to light when The Register reported that the hacker posted the data for sale on the dark web. What Information Was Involved?Although our investigation is ongoing, we believe that the incident occurred in July 2018 and your name, email, date of birth, and hashed password may have been acquired by an unauthorized person or persons. Please note that we have no indication that your password has been used by the hacker or other unauthorized individual. As a result, your personal data may have been compromised. What We Are Doing.We value your privacy and deeply regret that this incident occurred. ShareThis will be deactivating any ShareThis accounts associated with this email address. We are reviewing our internal systems and are in the process of working with forensic and data security experts to review this incident and to identify any additional measures we can take to further bolster our security. What You Can Do.We want to make sure that you have resources to protect your personal information. As noted above, we deactivated the ShareThis account associated with this email address, so no one will be able to log into it. However, we recommend that you change your password for any other accounts for which you use the same or similar email address or password and take other appropriate steps to protect your online accounts. We also encourage you to be cautious of spam or other phishing emails, including those that solicit personal data. You can also review the Steps You Can Take to Protect Your Personal Information below. Other Important Information.Maintaining the integrity of confidential information is extremely important to us. We sincerely apologize for any inconvenience this incident may have caused you. We are continuing to investigate this matter and will take appropriate action to prevent future similar incidents.

For More Information.If you have any questions on this matter, you can email us at inquiries@sharethis.com. You can also visit our website at https://www.sharethis.com/data-privacy-incident. Sincerely, To help privacy , Microsoft Office prevented automatic from the Internet.Dana Hayes, Jr. Chief Executive Officer Steps You Can Take to Protect Your InformationAlthough we have no reason to believe any financial information of our customers was impacted by this incident, we encourage you to remain vigilant, to review your account statements, and to monitor your credit reports for suspicious activity to help protect against possible identity theft or other financial loss. Guard against the possibility of fraud and identity theft.We suggest you remain as vigilant as ever in monitoring any relevant online accounts or profiles that you may have, particularly for those associated with the same email address. Please consider the complexity of the passwords you use and ensure that you reset and change your passwords for any accounts which have the same or similar passwords. If you do notice any suspicious activity on any online accounts, contact your account provider immediately. Stay alert to the risk of malicious emails. We recommend that you continue to be vigilant against malicious emails such as phishing emails, including by considering whether you are expecting a particular email, confirming the full email address and domain of the sender, as well as looking out for spelling mistakes, suspicious links and other signs that the message is suspicious. If you think you may have divulged personal information (including any log-in credentials) as a result of a phishing email, please immediately change those credentials. Credit Reports. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus. If you would like to order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.Security Freeze. Although ShareThis does not ask for, or collect or maintain in any way, Social Security numbers for our customers, we advise you that you have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below: Experian P.O. Box 9554 victim-resource/place-fraud-alertEquifax P.O. Box 105788 1-800-685-111 report-services

In order to request a security freeze, you will need to supply the following information:1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.); 4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years; 6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.);7. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze. As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the agencies listed below: Experian TransUnion Equifax---------www.experian.com/fraud/center.html www.transunion.com/fraud-victim-resource/place-fraud-alertreport-servicesAdditional Information. You can further educate yourself regarding identity theft, and the steps you can take to protect yourself, by contacting your state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580; www.ftc.gov/idtheft; 1- 877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should be reported to law enforcement, your state Attorney General, and the FTC. You can also further educate yourself about placing a fraud alert or security freeze on your credit file by contacting the FTC or your state’s Attorney General. This notice has not been delayed by law enforcement. For Rhode Island Residents: The Rhode Island Attorney General can be reached at: 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, 1-401-247-4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident. The number of Rhode Island residents impacted by this event is unable to be determined.

If you would prefer not to receive further messages from this sender, please Click Here and confirm your request.To help privacy , Microsoft Office prevented automatic from the Internet.

From: mail@msgbsvc.com on behalf of ShareThis Sent: Tuesday, February 26, 2019 3:35 PM To: DL-Data Breach Team Subject: HTML Sample -- Notice of Data Breach CAUTION: This email originated from outside of Epiq. Do not click links or open attachments unless you recognize the sender and know the content is safe. To help privacy , Microsoft Office prevented automatic from the Internet.Hello, At ShareThis, protecting the security of the information in our possession is a responsibility we take very seriously. We write to notify you of a data security incident that may have exposed some of your personal information. This notice explains the incident and steps ShareThis has undertaken to address it. In addition, we provide guidance below on what you can do to protect your personal information. What Happened?On February 11, 2019, ShareThis became aware that it suffered a data security incident when it was informed that The Register published a story indicating that 16 companies, including ShareThis, were the victims of a data theft. We can tell from our initial investigations that email addresses, hashed passwords and some birth dates were impacted. The incident, unfortunately, only came to light when The Register reported that the hacker posted the data for sale on the dark web. What Information Was Involved?Although our investigation is ongoing, we believe that the incident occurred in July 2018 and your name, email and hashed password may have been acquired by an unauthorized person or persons. Please note that we have no indication that your password has been used by the hacker or other unauthorized individual. As a result, your personal data may have been compromised. What We Are Doing.We value your privacy and deeply regret that this incident occurred. ShareThis will be deactivating any ShareThis accounts associated with this email address. We are reviewing our internal systems and are in the process of working with forensic and data security experts to review this incident and to identify any additional measures we can take to further bolster our security. What You Can Do.We want to make sure that you have resources to protect your personal information. As noted above, we deactivated the ShareThis account associated with this email address, so no one will be able to log into it. However, we recommend that you change your password for any other accounts for which you use the same or similar email address or password and take other appropriate steps to protect your online accounts. We also encourage you to be cautious of spam or other phishing emails, including those that solicit personal data. You can also review the Steps You Can Take to Protect Your Personal Information below. Other Important Information.Maintaining the integrity of confidential information is extremely important to us. We sincerely apologize for any inconvenience this incident may have caused you. We are continuing to investigate this matter and will take appropriate action to prevent future similar incidents.

For More Information.If you have any questions on this matter, you can email us at inquiries@sharethis.com. You can also visit our website at https://www.sharethis.com/data-privacy-incident. Sincerely, To help privacy , Microsoft Office prevented automatic from the Internet.Dana Hayes, Jr. Chief Executive Officer Steps You Can Take to Protect Your InformationAlthough we have no reason to believe any financial information of our customers was impacted by this incident, we encourage you to remain vigilant, to review your account statements, and to monitor your credit reports for suspicious activity to help protect against possible identity theft or other financial loss. Guard against the possibility of fraud and identity theft.We suggest you remain as vigilant as ever in monitoring any relevant online accounts or profiles that you may have, particularly for those associated with the same email address. Please consider the complexity of the passwords you use and ensure that you reset and change your passwords for any accounts which have the same or similar passwords. If you do notice any suspicious activity on any online accounts, contact your account provider immediately. Stay alert to the risk of malicious emails. We recommend that you continue to be vigilant against malicious emails such as phishing emails, including by considering whether you are expecting a particular email, confirming the full email address and domain of the sender, as well as looking out for spelling mistakes, suspicious links and other signs that the message is suspicious. If you think you may have divulged personal information (including any log-in credentials) as a result of a phishing email, please immediately change those credentials. Credit Reports. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus. If you would like to order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.Security Freeze. Although ShareThis does not ask for, or collect or maintain in any way, Social Security numbers for our customers, we advise you that you have the right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Should you wish to place a security freeze, please contact the major consumer reporting agencies listed below: Experian P.O. Box 9554 victim-resource/place-fraud-alertEquifax P.O. Box 105788 1-800-685-111 report-services

In order to request a security freeze, you will need to supply the following information:1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.); 4. If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years; 6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.);7. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze. As an alternative to a security freeze, you have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the agencies listed below: Experian TransUnion Equifax---------victim-resource/place-fraud-alertreport-servicesAdditional Information. You can further educate yourself regarding identity theft, and the steps you can take to protect yourself, by contacting your state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580; www.ftc.gov/idtheft; 1- 877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should be reported to law enforcement, your state Attorney General, and the FTC. You can also further educate yourself about placing a fraud alert or security freeze on your credit file by contacting the FTC or your state’s Attorney General. This notice has not been delayed by law enforcement. For Rhode Island Residents: The Rhode Island Attorney General can be reached at: 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, 1-401-247-4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident. The number of Rhode Island residents impacted by this event is unable to be determined.

If you would prefer not to receive further messages from this sender, please Click Here and confirm your request.To help privacy , Microsoft Office prevented automatic from the Internet.

EXHIBIT B

EXHIBIT C

ShareThis Provides Notice of Data Security Incident Palo Alto, Calif., February 28, 2019 -- ShareThis Inc. announces today that it is taking action to address a data security incident where an unknown third-party gained access to a database. This database contained a subset of its users’ email addresses, hashed passwords, and some dates of birth. ShareThis is emailing individuals whose hashed passwords or dates of birth are affected beginning today. This notice explains the incident and steps ShareThis has undertaken to address it. What Happened? On February 11, 2019, ShareThis became aware that it suffered a data security incident when it was informed that The Register published a story indicating that 16 companies, including ShareThis, were the victims of a data theft. ShareThis immediately launched an investigation and determined that, for some users, names, email addresses, hashed passwords and some birth dates were impacted. The incident, unfortunately, only came to light when The Register reported that the hacker posted the data for sale on the dark web. What Information Was Involved? Although its investigation is ongoing, the incident appears to have occurred in or prior to July 2018, and names, emails, dates of birth, and hashed passwords may have been acquired by an unauthorized person or persons. ShareThis has no indication that passwords have been used by the hacker or other unauthorized individual. What ShareThis is Doing. ShareThis values individuals’ privacy and deeply regrets that the incident occurred. ShareThis has deactivated any ShareThis accounts potentially associated with this incident. The company is also reviewing internal systems and is in the process of working with forensic and security experts to review this incident and to identify measures it can take to bolster security if necessary. What Individuals Can Do. As noted above, ShareThis has already deactivated the ShareThis accounts potentially associated with this incident, so if an individual created an account prior to January 2017, they may no longer be able to log in. However, ShareThis is recommending that impacted individuals change passwords for any other accounts for which they use the same or similar email address or password and take other appropriate steps to protect online accounts. ShareThis also encourages individuals to be cautious of spam or other phishing emails, including those that solicit personal data. Other Important Information. Maintaining the integrity of confidential information is extremely important to ShareThis. ShareThis sincerely apologize for any inconvenience this incident may have caused, is continuing to investigate this matter, and will take appropriate action to prevent future similar incidents. For More Information. Individuals with questions about this incident, as well as those who would like to know if they are affected, can email ShareThis at inquiries@sharethis.com. Individuals may also visit the ShareThis website at https://www.sharethis.com/data-privacy-incident.

Other Steps Individuals Can Take to Protect Their Information Although ShareThis has no reason to believe any financial information was impacted by this incident, they encourage individuals to remain vigilant, to review account statements, and to monitor credit reports for suspicious activity to help protect against possible identity theft or other financial loss for any source. Credit Reports. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. If individuals would like to order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report. Security Freeze. Individuals have the right to place a “security freeze” on their credit reports, which will prohibit a consumer reporting agency from releasing information without their express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in an individual’s name without their consent. However, individuals should be aware that using a security freeze to take control over who gets access to the personal and financial information in their credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application made regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, individuals cannot be charged to place or lift a security freeze on their credit reports. Should individuals wish to place a security freeze, they may contact the major consumer reporting agencies listed below: Experian PO Box 9554www.experian.com/freeze/center.htmlChester, PA 19016www.transunion.com/credit-freezeEquifax PO Box 1057881-800-685-1111www.equifax.com/personal/credit-report-servicesIn order to request a security freeze, individuals will need to supply the following information: 1. Full name (including middle initial as well as Jr., Sr., II, III, etc.); 4. If an individual has moved in the past five (5) years, provide the addresses where they have lived over the prior five years; 6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, military identification, etc.); 7. If an individual is a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft. To remove the security freeze, an individual must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and social security number) and the PIN number or password provided when the security freeze was placed. The credit bureaus have three (3) business days after receiving a request to remove the security freeze. As an alternative to a security freeze, individuals have the right to place an initial or extended “fraud alert” on their file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file.

Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If an individual is the victim of identity theft, they are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should an individual wish to place a fraud alert, they may contact any one of the agencies listed below: Experian www.experian.com/fraud/center.html 1-800-680-7289 www.transunion.com/fraud-victim-resource/place-fraud-alertEquifax 1-888-766-0008 www.equifax.com/personal/credit-report-services Additional Information. Individuals can further educate themselves regarding identity theft, and the steps they can take to protect themselves, by contacting their state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580; www.ftc.gov/idtheft; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should be reported to law enforcement, the state Attorney General, and the FTC. Individuals can also further educate themselves about placing a fraud alert or security freeze on their credit files by contacting the FTC or their state’s Attorney General. This notice has not been delayed by law enforcement. For Rhode Island Residents: The Rhode Island Attorney General can be reached at: 150 South Main Street, Providence, Rhode Island 02903, www.riag.ri.gov, 1-401-247-4400. Under Rhode Island law, individuals have the right to obtain any police report filed in regard to this incident. The number of Rhode Island residents impacted by this event is unable to be determined.