Notice of Payment Card Security Incident

August 30, 2019

We value our relationship with our consumers and understand the importance of protecting your personal data and payment card information. We want to inform you about a data security incident affecting our Russell Stover retail stores, which may have resulted in unauthorized acquisition of certain payment card information, and to provide you with steps you can take to protect yourself from possible misuse of your information.

What Happened?

We recently became aware that an unauthorized actor had possibly gained access to Russell Stover’s point-of-sale (POS) systems through malware at Russell Stover’s retail stores. Upon learning of the incident, Russell Stover immediately initiated an investigation, engaged leading, independent cybersecurity experts, and took measures to eradicate and contain the malware. Based on our investigation to date, Russell Stover believes that, by means of the malware, the unauthorized actor may have been able to acquire certain data from payment cards used in Russell Stover retail stores during timeframes beginning no earlier than February 9, 2019 and no later than August 7, 2019.

What Information was Involved?

At this time, we believe that Russell Stover retail stores were impacted. While our investigation is ongoing, we believe that certain payment card data, including some consumers’ first and last names, payment card numbers and expiration dates, could have been acquired.

What We Are Doing

Upon learning of the incident, we took steps to contain and remediate the incident, including removing the malware from our systems. We are working to further strengthen our security measures, including through enhanced employee training and improved technical measures. We have also notified the appropriate law enforcement and regulatory authorities and are working closely with the payment card companies regarding this matter.

Payment card network rules generally state that payment cardholders are not responsible for fraudulent charges that are timely reported. Accordingly, Russell Stover consumers, like any payment cardholder, should promptly report unauthorized charges to the bank that issued their payment card.

What You Can Do

We recommend that you review your bank account and payment card statements and notify your payment card company if you identify any suspicious activity. Be sure to immediately report any unauthorized charges to your payment card issuer. The phone number to call is usually on the back of your payment card.

Please see the section that follows this notice for additional steps you may take to protect your information. The additional information section describes additional steps you can take to help protect yourself, including details on how to place a fraud alert or a security freeze on your credit file.

For More Information

We sincerely regret that this incident occurred and any concern it may cause. If you have questions or need additional information, you may call 855-896-4449 available from 6 a.m. to 8 p.m. (Pacific) Monday through Friday and 8 a.m. to 5 p.m. (Pacific) on Saturday and Sunday (exclusive of holidays). When calling in, please use the reference number DB14273.

ADDITIONAL INFORMATION ON WAYS TO PROTECT YOURSELF

Contact information for the three nationwide credit reporting companies is as follows:

Free Credit Report. We remind you to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. You can also order your annual free credit report by mailing a completed Annual Credit Report Request Form (available from the U.S. Federal Trade Commission’s (“FTC”) website at www.consumer.ftc.gov) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

For Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, Puerto Rico, and Vermont Residents:

You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit reporting agencies directly to obtain such additional report(s).

Security Freeze. Security freezes, also known as credit freezes, restrict access to your credit file, making it harder for identity thieves to open new accounts in your name. You can freeze and unfreeze your credit file for free. You also can get a free freeze for your children who are under 16. And if you are someone’s guardian, conservator or have a valid power of attorney, you can get a free freeze for that person, too.

How will these freezes work? Contact all three of the nationwide credit reporting agencies – Equifax, Experian, and TransUnion. If you request a freeze online or by phone, the agency must place the freeze within one business day. If you request a lift of the freeze, the agency must lift it within one hour. If you make your request by mail, the agency must place or lift the freeze within three business days after it gets your request. You also can lift the freeze temporarily without a fee.

Do not confuse freezes with locks. They work in a similar way, but locks may have monthly fees. If you want a free freeze guaranteed by federal law, then opt for a freeze, not a lock.

The following information must be included when requesting a security freeze (note that if you are requesting a credit report for your spouse, this information must be provided for him/her as well): (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue.

The credit reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (“PIN”) or password or both that can be used by you to authorize the removal or lifting of the security freeze.

To lift the security freeze in order to allow a specific entity or individual access to your credit report, you must call or send a written request to the credit reporting agencies by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze as well as the identity of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available. The credit reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.

To remove the security freeze, you must send a written request to each of the three credit bureaus by mail and include proper identification (name, address, and Social Security number) and the PIN number or password provided to you when you placed the security freeze. The credit bureaus have three (3) business days after receiving your request to remove the security freeze.

For New Mexico Residents: You may obtain a security freeze on your credit report to protect your privacy and ensure that credit is not granted in your name without your knowledge. You may submit a declaration of removal to remove information placed in your credit report as a result of being a victim of identity theft. You have a right to place a security freeze on your credit report or submit a declaration of removal pursuant to the Fair Credit Reporting and Identity Security Act.

For Colorado and Illinois Residents: You may obtain information from the credit reporting agencies and the FTC about security freezes.

For Massachusetts Residents: Massachusetts law also allows consumers to request a security freeze. A security freeze prohibits a credit reporting agency from releasing any information from your credit report without written authorization. Be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services.

Fraud Alerts. A fraud alert tells businesses that check your credit that they should check with you before opening a new account. As of September 18, 2018, when you place a fraud alert, it will last one year, instead of 90 days. Fraud alerts will still be free and identity theft victims can still get an extended fraud alert for seven years.

For Colorado and Illinois Residents: You may obtain additional information from the credit reporting agencies and the FTC about fraud alerts.

For West Virginia Residents: You have the right to ask that nationwide consumer reporting agencies place “fraud alerts” in your file to let potential creditors and others know that you may be a victim of identity theft. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling one of the three nationwide consumer reporting agencies - Equifax, Experian, and TransUnion.

Federal Trade Commission and State Attorneys General Offices. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state. You may also contact these agencies for information on how to prevent or avoid identity theft. You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/, 1-877-IDTHEFT (438-4338).

For Maryland Residents: You may contact the Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.

For North Carolina Residents: You may contact the North Carolina Office of the Attorney General, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, 1-877-566-7226.

For Rhode Island Residents: You may contact the Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903, http://www.riag.ri.gov, 401-274-4400

Reporting of identity theft and obtaining a police report. You have the right to obtain any police report filed in the United States in regard to this incident. If you are the victim of fraud or identity theft, you also have the right to file a police report.

For Iowa Residents: You are advised to report any suspected identity theft to law enforcement or to the Iowa Attorney General.

For Massachusetts Residents: You have the right to obtain a police report if you are a victim of identity theft. You also have a right to file a police report and obtain a copy of it.

For Oregon Residents: You are advised to report any suspected identity theft to law enforcement, the Federal Trade Commission, and the Oregon Attorney General.

For Rhode Island Residents: You have the right to file or obtain a police report regarding this incident.

Russell Stover Retail Store Locations

A list of potentially affected Russell Stover retail stores can be found below.

1. Russell Stover Chocolates Shop
   3376 Winfield Dunn Pkwy
   Kodak, TN 37764-1542
2. Russell Stover Chocolates Shop
   2604 Decatur Pike
   Athens, TN 37303-4930
3. Russell Stover Chocolates Shop
   1976 Chocolate Dr
   Cookeville, TN 38501-2022
4. Russell Stover Chocolates Shop
   101 Destination Blvd
   Anderson, SC 29621-2343
5. Russell Stover Chocolates Shop
   2244 Hillsboro Blvd
   Manchester, TN 37355-7310
6. Russell Stover Chocolates Shop
   1699 US Highway 72 E
   Athens, AL 35611-4411
7. Russell Stover Chocolates Shop
   1500 Polaris Pkwy Ste 1206
   Columbus, OH 43240-2130
8. Russell Stover Chocolates Shop
   5 Cabela Dr
   Triadelphia, WV 26059-1000
9. Russell Stover Chocolates Shop
   5503 N Illinois St
   Fairview Heights, IL 62208-3509
10. Russell Stover Chocolates Shop
    702 Freedom Ct
    Dundee, MI 48131-9572
11. Russell Stover Chocolates Shop
    901 Heitmann Dr
    Lincoln, IL 62656-9644
12. Russell Stover Chocolates Shop
    950 Industrial Dr
    Wildwood, FL 34785-4705
13. Russell Stover Chocolates Shop
    120 Wilderness Trail
    Hamburg, PA 19526-8163
14. Russell Stover Chocolates Shop
    22500 Evergreen Parkway
    Lebanon, MO 65536-4500

15. Russell Stover Chocolates Shop
    1951 West Marler Lane
    Ozark, MO 65721-7660
16. Russell Stover Chocolates Shop
    2425 Mid America Industrial Dr
    Boonville, MO 65233-2645
17. Russell Stover Chocolates Shop
    1021 S Limit Ave
    Sedalia, MO 65301-5125
18. Russell Stover Chocolates Shop
    2202 S Commercial St
    Harrisonville, MO 64701-3110
19. Russell Stover Chocolates Shop
    2814 Shawnee Mission Pkwy
    Fairway, KS 66205-2645
20. Russell Stover Chocolates Shop
    10100 Shawnee Mission Pkwy
    Merriam, KS 66203-3643
21. Russell Stover Chocolates Shop
    1300 Village West Pkwy
    Kansas City, KS 66111-1875
22. Russell Stover Chocolates Shop
    1995 Marshmallow Lane
    Iola, KS 66749
23. Russell Stover Chocolates Shop
    4500 W Frontage Rd
    Omaha, NE 68114-4664
24. Russell Stover Chocolates Shop
    721 S 72nd St #101
    Omaha, NE 68114-466
25. Russell Stover Chocolates Shop
    1993 Caramel Blvd
    Abilene, KS 67410-0000
26. Russell Stover Chocolates Shop
    1997 Pecan Delight Ave
    Corsicana, TX 75109-902
27. Russell Stover Chocolates Shop
    7642 W Reno Ave Ste 401
    The Outlet Shoppes at Oklahoma City
    Oklahoma City, OK 73127-9771
28. Russell Stover Chocolates Shop
    2146 S Townsend Ave
    Montrose, CO 81401-4849

Press Release

Media contact:
Jim Kissinger
media@rstover.com

Notice of Payment Card Security Incident

Russell Stover Chocolates, LLC (Russell Stover) recently became aware of a data security incident potentially affecting certain data from payment cards used for purchases at Russell Stover retail stores during a limited timeframe. It is important to note that, at this time, there is no evidence that this incident impacted purchases made on Russell Stover’s website. Russell Stover is approaching this incident with the utmost importance and providing potentially impacted individuals with information on steps they can take to protect themselves.

Russell Stover determined that an unauthorized actor had possibly gained access to its point-of-sale (POS) systems through malware at Russell Stover’s retail stores. Upon learning of the incident, Russell Stover immediately initiated an investigation, engaged leading, independent cybersecurity experts, and took measures to eradicate and contain the malware. Russell Stover has also notified the appropriate law enforcement and regulatory authorities and is working closely with the payment card companies regarding this matter.

Based on its investigation to date, Russell Stover believes that, by means of the malware, the unauthorized actor may have been able to acquire certain data from payment cards used in Russell Stover retail stores during timeframes beginning no earlier than February 9, 2019 and no later than August 7, 2019.

While Russell Stover’s investigation is ongoing, the company believes that certain payment card data, including some consumers’ first and last names, payment card numbers and expiration dates could have been acquired. At this time, Russell Stover has no evidence that any information has been inappropriately used.

Russell Stover deeply regrets that this incident occurred and for any inconvenience or concern it causes its consumers. The security and privacy of consumers’ payment card data is a top priority, and Russell Stover is working to further strengthen its security measures, including through enhanced employee training and improved technical measures.

As a best practice, it is always advisable for individuals to remain vigilant and monitor their payment card statements for suspicious charges or activity they do not recognize. If a consumer suspects an unauthorized charge, they should immediately notify the bank or financial institution that issued the payment card. Payment card network rules generally state that payment cardholders are not responsible for fraudulent charges that are timely reported. Accordingly, Russell Stover consumers, like any payment cardholder, should promptly report unauthorized charges to the bank or financial institution that issued their payment card.

More information about the incident and steps that consumers can take to help protect themselves is available at www.russellstover.com/securityincident. Russell Stover has also set up a dedicated call center for consumers at 855-896-4449 available from 6 a.m. to 8 p.m. (Pacific) Monday through Friday and 8 a.m. to 5 p.m. (Pacific) on Saturday and Sunday (exclusive of holidays). When calling in, callers should use the reference number DB14273.