Notice of Data Breach
We are saddened to report that on December 2, 2019, the Rooster Teeth online store (https://store.roosterteeth.com/) experienced a data security incident that may have compromised a limited group of customers’ personal information. It is important to note that this did not affect Rooster Teeth accounts or FIRST membership subscriptions as this incident remained isolated to the Shopify platform for the online store – store.roosterteeth.com. We immediately investigated the incident, took steps to prevent incidents like this in the future, and notified potentially impacted customers via email and letter. If we did not send you an email, then you were not one of our potentially affected customers. Our community’s privacy and security is a key concern, and we deeply apologize for any inconvenience this incident has caused. Information about no-cost consumer protection services for potentially affected customers is available below, and in addition our customer care team is available to assist you with any questions or concerns at rtstorecare@roosterteeth.com.
The following form of notice has been sent to potentially impacted customers via email, and, if you reside in the domestic United States, a physical copy has been sent to your most recent mailing address.
Notice of Data Breach
We are writing to notify you of a data security incident involving our e-commerce website, https://store.roosterteeth.com (“Site”). You are receiving this notice because our records show that you may have been affected by this incident. Please read this notice carefully, as it provides information about the incident, the steps we have taken to secure our systems, and the resources available to you to protect yourself against the unauthorized use of your personal information.
Our goal is to provide our community with a safe shopping environment, and we apologize for this incident. Please note that free Rooster Teeth accounts and Rooster Teeth FIRST accounts were not affected by this incident as it remained limited to the Site’s e-commerce platform, which is powered by Shopify.
What Happened?
On December 2, 2019, Rooster Teeth discovered that malicious code had been added to the Site earlier the same day. The malicious code directed users entering a checkout on the Site to a spoofed webpage where they were asked to enter payment card details in order to complete their purchases. This was inserted after the stage at which users entered their shipping data. Users who completed the payment card details page were then directed to the real webpage, where they were asked to complete the forms again.
We removed the malicious code from the Site and took other steps to secure the Site against further unauthorized access. The incident did not affect any other part of the Site or other information maintained by us. It is our goal to provide a safe and secure shopping environment, and we will continue to review, audit, and improve our security controls and processes.
What Information Was Involved?
If you entered information on the spoofed webpage described above, your name, email address, telephone number, physical address, and/or payment card information (including expiration dates and security codes) may have been exposed. You are receiving this notice because our records show that you visited the affected checkout process on our Site on the day of the incident and may have been affected by this incident.
What We Are Doing to Protect Your Information
To help protect your identity, we are offering third party monitoring services through Experian for one year for those potentially impacted consumers who reside in territories where such services are available. Further details, if applicable, are included in your individual notice.
What You Can Do
We encourage you to remain vigilant for incidents of fraud and identity theft by carefully reviewing your payment card or personal account statements for unauthorized charges and monitoring free credit reports for fraudulent activity or errors resulting from the incident. If you suspect an unauthorized charge has been placed on your account, we encourage you to report it to your payment card issuer. According to the payment card brands’ policies, you are not responsible for unauthorized charges to your account if you report them in a timely manner. For additional information on identity theft or setting up credit alerts or credit freezes, please review the document enclosed with this letter.
For More Information
Please contact us at privacy@roosterteeth.com.
Sincerely,
Marlayne Ingram, Esq.
Vice President, Business & Legal Affairs
Rooster Teeth Productions, LLC
INFORMATION ABOUT CREDIT MONITORING AND IDENTITY THEFT PROTECTION SERVICES
We are offering complimentary credit monitoring and identity restoration services through Experian to potentially affected US customers for one year. You will find more information about these services below.
In addition, we are able to offer certain identity theft protection services to potentially affected customers in certain other countries. Information about these services, where available, has been sent directly to those international customers who have been potentially affected. For more information, please contact privacy@roosterteeth.com.
DETAILS REGARDING EXPERIAN IDENTITYWORKS MEMBERSHIP FOR U.S. CUSTOMERS:
A credit card is not required for enrollment in Experian IdentityWorks.
You can contact Experian immediately regarding any fraud issues, and have access to the following features once you enroll in Experian IdentityWorks:
• Experian credit report at signup: See what information is associated with your credit file. Daily credit reports are available for online members only.
• Credit Monitoring: Actively monitors Experian, Equifax and Transunion files for indicators of fraud.
• Identity Restoration: Identity Restoration specialists are immediately available to help you address credit and non-credit related fraud.
• Experian IdentityWorks ExtendCARETM: You receive the same high-level of Identity Restoration support even after your Experian IdentityWorks membership has expired.
• Up to $1 Million Identity Theft Insurance: Provides coverage for certain costs and unauthorized electronic fund transfers.
If you believe there was fraudulent use of your information and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent at 866-578-5413. If, after discussing your situation with an agent, it is determined that Identity Restoration support is needed, then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred (including, as appropriate, helping you with contacting credit grantors to dispute charges and close accounts; assisting you in placing a freeze on your credit file with the three major credit bureaus; and assisting you with contacting government agencies to help restore your identity to its proper condition).
Please note that this Identity Restoration support is available to you for one year from the date of this letter and does not require any action on your part at this time. The Terms and Conditions for this offer are located at www.ExperianIDWorks.com/restoration. You will also find self-help tips and information about identity protection at this site.
ADDITIONAL RESOURCES, CREDIT ALERTS AND FREEZES FOR U.S. CUSTOMERS
Federal Trade Commission
The Federal Trade Commission provides information about how to avoid identity theft, including information about placing fraud alerts and security freezes on your credit report. You may report suspected identity theft to the Federal Trade Commission.
• Visit: http://www.ftc.gov/idtheft
• Call (toll-free): 1-877-ID-THEFT (1-877-438-4338)
• Write: Consumer Response Center, Federal Trade Commission, 600 Pennsylvania Ave., NW, Washington, DC 20580.
State Information
You may also report suspected identity theft to law enforcement, including your state attorney general. Some states provide additional information and resources to assist their residents when there is a data security breach.
Information for Iowa Residents
State laws advise you to report any suspected identity theft to law enforcement or to the Attorney General. For more information on identity theft, you can contact local law enforcement or the Iowa Attorney General’s Office:
Address: Hoover State Office Building, 1305 E. Walnut Street, Des Moines, IA 50319
Telephone: 1-515-281-5926
Website: https://www.iowaattorneygeneral.gov/for-consumers/general-consumer-information/identity-theft
Information for Maryland Residents
For more information on identity theft, you can contact the Maryland Attorney General’s Office:
Address: 200 St. Paul Place, Baltimore, MD 21202
Telephone: 1-410-576-6491
Website: www.oag.state.md.us/idtheft/index.htm
Information for New York Residents
For more information on identity theft, you can contact the New York Department of State’s Division of Consumer Protection:
Address: 99 Washington Avenue, Albany, NY 12231-0001
Telephone: 1-800-697-1220
Website: https://www.dos.ny.gov/consumerprotection/identity_theft/index.htm
Information for North Carolina Residents
For more information on identity theft, you can contact the North Carolina Attorney General’s Office:
Address: 9001 Mail Service Center, Raleigh, NC 27699-9001
Telephone: 1-919-716-6400
Fax: 1-919-716-6750
Website: http://www.ncdoj.gov
Information for Oregon Residents
State laws advise you to report any suspected identity theft to law enforcement, as well as the Federal Trade Commission. For more information on identity theft, you can contact the Oregon Attorney General’s Office:
Address: 1162 Court Street NE, Salem, OR 97301-4096
Telephone: 1-800-877-9392
Email Address: help@oregonconsumer.gov
Website: https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/identity-theft/
Information for Rhode Island Residents
For more information on identity theft, you can contact the Rhode Island Attorney General’s Office:
Address: 150 South Main Street, Providence, RI 02903
Telephone: 1-401-271-4400
Email Address: consumers@riag.ri.gov
Website: http://www.riag.ri.gov/ConsumerProtection/About.php
Notice for Residents of Massachusetts and Rhode Island
You have the right to obtain a police report.
Free Annual Credit Reports
You may obtain a free copy of your credit report once every 12 months.
• Visit: http://www.annualcreditreport.com
• Call (toll-free): 1-877-322-8228
• Write: Complete an Annual Credit Report Request Form and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281 (you can print a copy of the form at http://www.consumer.ftc.gov/articles/pdf-0093-annual-report-request-form.pdf).
You also may purchase a copy of your credit report by contacting one of the three national consumer reporting agencies using the information below.
| Equifax 1-800-525-6285 www.equifax.com P. O. Box 740241 Atlanta, GA 30374-0241 | Experian 1-888-397-3742 www.experian.com P. O. Box 9554 Allen, TX 75013 | TransUnion 1-800-888-4213 www.transunion.com 2 Baldwin Place P.O. Box 1000 Chester, PA 19022 |
Fraud Alerts: “Initial Alert” and “Extended Alert”
You can place two types of fraud alerts on your credit report to put your creditors on notice that you may be a victim of fraud: an “Initial Alert” and an “Extended Alert.” An Initial Alert stays on your credit report for 12 months. You may ask that an Initial Alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An Extended Alert stays on your credit report for seven years. To obtain the Extended Alert, you must provide proof to the consumer reporting agency (usually in the form of a police report) that you actually have been a victim of identity theft.
A potential drawback to activating a fraud alert would occur when you attempt to open a new account. You would need to be available at either your work phone number or home phone number in order to approve opening the new credit account. If you are not available at either of those numbers, the creditor may not open the account. A fraud alert may interfere with or delay your ability to obtain credit.
Fraud alerts will not necessarily prevent someone else from opening an account in your name. A creditor is not required by law to contact you if you have a fraud alert in place. Fraud alerts can legally be ignored by creditors. If you suspect that you are or have already been a victim of identity theft, fraud alerts are only a small part of protecting your credit. You also need to pay close attention to your credit report to make sure that the only credit inquiries or new credit accounts in your file are yours.
To place either type of fraud alert on your credit report, you may contact any one of the three major consumer reporting agencies using the information below that they have published. Consumer reporting agencies will need to verify your identity, which will require providing your Social Security number and other similar information.
TransUnion
P.O. Box 2000
Chester, PA 19022-2000
https://fraud.transunion.com
1-800-680-7289
Equifax
P. O. Box 740241
Atlanta, GA 30374-0241
https://www.alerts.equifax.com/AutoFraud_Online/jsp/fraudAlert.jsp
1-888-766-0008
Experian
P. O. Box 9554
Allen, TX 75013
https://www.experian.com/fraud/center.html
1-888-397-3742
Placing a fraud alert does not damage your credit or credit score. Additional information may be obtained from www.annualcreditreport.com.
Credit or Security Freeze on Credit File
You have the right to put a credit freeze (also known as a security freeze) on your credit file. A credit freeze is designed to prevent potential credit grantors from accessing your credit report without your consent. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each consumer reporting agency.
A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent; however, using a security freeze may interfere with or delay your ability to obtain credit. To place a security freeze on your credit report, contact the consumer reporting agencies using the information below, and be prepared to provide the following (note that if you are requesting a security freeze for your spouse, this information must be provided for him/her as well):
(1) full name, with middle initial and any suffixes;
(2) Social Security number;
(3) date of birth;
(4) current address and any previous addresses for the past two years; and
(5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.
There is no charge for a security freeze. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and contain the date of issue.
The addresses of consumer reporting agencies to which requests for a security freeze may be sent are:
TransUnion
P.O. Box 2000
Chester, PA 19022-2000
https://freeze.transunion.com
Equifax
Equifax Security Freeze
P.O. Box 105788
Atlanta, Georgia 30348
https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
Experian
P. O. Box 9532
Allen, TX 75013
https://www.experian.com/freeze/center.html
The consumer reporting agencies have three (3) business days after receiving your request to place a security freeze on your credit report. The credit bureaus must also send written confirmation to you within five (5) business days and provide you with a unique personal identification number (PIN) or password, or both that can be used by you to authorize the removal or lifting of the security freeze.
To lift the security freeze to allow a specific entity or individual access to your credit report, you must call or send a written request to the consumer reporting agencies by mail and include:
• proper identification (name, address, and Social Security number);
• the PIN or password provided to you when you placed the security freeze; and
• the identities of those entities or individuals you would like to receive your credit report or the specific period of time you want the credit report available.
The consumer reporting agencies have three (3) business days after receiving your request to lift the security freeze for those identified entities or for the specified period of time.
Para información en español, visite www.consumerfinance.gov/learnmore o escribe a la Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.
A Summary of Your Rights Under the Fair Credit Reporting Act
The United States federal Fair Credit Reporting Act (FCRA) promotes the accuracy, fairness, and privacy of information in the files of consumer reporting agencies. There are many types of consumer reporting agencies, including credit bureaus and specialty agencies (such as agencies that sell information about check writing histories, medical records, and rental history records). Here is a summary of your major rights under FCRA. For more information, including information about additional rights, go to www.consumerfinance.gov/learnmore or write to: Consumer Financial Protection Bureau, 1700 G Street N.W., Washington, DC 20552.
• You must be told if information in your file has been used against you. Anyone who uses a credit report or another type of consumer report to deny your application for credit, insurance, or employment – or to take another adverse action against you – must tell you, and must give you the name, address, and phone number of the agency that provided the information.
• You have the right to know what is in your file. You may request and obtain all the information about you in the files of a consumer reporting agency (your “file disclosure”). You will be required to provide proper identification, which may include your Social Security number. In many cases, the disclosure will be free. You are entitled to a free file disclosure if:
– a person has taken adverse action against you because of information in your credit report;
– you are the victim of identity theft and place a fraud alert in your file;
– your file contains inaccurate information as a result of fraud;
– you are on public assistance;
– you are unemployed but expect to apply for employment within 60 days.
In addition, all consumers are entitled to one free disclosure every 12 months upon request from each nationwide credit bureau and from nationwide specialty consumer reporting agencies. See www.consumerfinance.gov/learnmore for additional information.
• You have the right to ask for a credit score. Credit scores are numerical summaries of your credit-worthiness based on information from credit bureaus. You may request a credit score from consumer reporting agencies that create scores or distribute scores used in residential real property loans, but you will have to pay for it. In some mortgage transactions, you will receive credit score information for free from the mortgage lender.
• You have the right to dispute incomplete or inaccurate information. If you identify information in your file that is incomplete or inaccurate, and report it to the consumer reporting agency, the agency must investigate unless your dispute is frivolous. See www.consumerfinance.gov/learnmore for an explanation of dispute procedures.
• Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information. Inaccurate, incomplete, or unverifiable information must be removed or corrected, usually within 30 days. However, a consumer reporting agency may continue to report information it has verified as accurate.
• Consumer reporting agencies may not report outdated negative information. In most cases, a consumer reporting agency may not report negative information that is more than seven years old, or bankruptcies that are more than 10 years old.
• Access to your file is limited. A consumer reporting agency may provide information about you only to people with a valid need – usually to consider an application with a creditor, insurer, employer, landlord, or other business. The FCRA specifies those with a valid need for access.
• You must give your consent for reports to be provided to employers. A consumer reporting agency may not give out information about you to your employer, or a potential employer, without your written consent given to the employer. Written consent generally is not required in the trucking industry. For more information, go to www.consumerfinance.gov/learnmore.
• You may limit “prescreened” offers of credit and insurance you get based on information in your credit report. Unsolicited “prescreened” offers for credit and insurance must include a toll-free phone number you can call if you choose to remove your name and address form the lists these offers are based on. You may opt out with the nationwide credit bureaus at 1-888-5-OPTOUT (1-888-567-8688).
• The following FCRA right applies with respect to nationwide consumer reporting agencies:
Consumers Have the Right To Obtain a Security Freeze
You have a right to place a “security freeze” on your credit report, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.
As an alternative to a security freeze, you have the right to place an initial or extended fraud alert on your credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting 7 years.
A security freeze does not apply to a person or entity, or its affiliates, or collection agencies acting on behalf of the person or entity, with which you have an existing account that requests information in your credit report for the purposes of reviewing or collecting the account. Reviewing the account includes activities related to account maintenance, monitoring, credit line increases, and account upgrades and enhancements.
• You may seek damages from violators. If a consumer reporting agency, or, in some cases, a user of consumer reports or a furnisher of information to a consumer reporting agency violates the FCRA, you may be able to sue in state or federal court.
• Identity theft victims and active duty military personnel have additional rights. For more information, visit www.consumerfinance.gov/learnmore.
States may enforce the FCRA, and many states have their own consumer reporting laws. In some cases, you may have more rights under state law. For more information, you can contact your state or local consumer protection agency or your state Attorney General.
We know you might still have questions.
Here are some answers:
Q: I was on the Store that day, but I don’t think I ever checked out. At least, I didn’t place an order. How do I know if I was affected or not?
A: If we did not send you an email, then you were not one of our potentially affected customers.
Q: What should I do to protect myself?
A: Contact your credit or debit card company and inform them that your card information may have been compromised, so that they can issue you a replacement card. Remain vigilant and review your banking and card statements and free credit reports, and also report any suspicious activity to the relevant financial institutions. You can report any suspected fraud to local law enforcement, your state Attorney General, and the Federal Trade Commission (FTC).
Q: What actions have been taken since Dec. 2?
A: Our community’s privacy and security is a key concern for us. When we became aware of the incident, we began taking steps to protect potentially impacted consumers. We removed the malicious code from the site, investigated the incident and implemented other protective measures. Since then, we also began the process of notifying regulators and potentially impacted customers.