From:   Taylor Lavery
Sent:   Friday, July 29, 2016 12:43 PM
To: Jared Isaacman
Subject:    RE: CardConnect breach

J,

I'm working on a response. The draft is below.

Jared - the number has been updated to actual so wanted to flag that for you in case you
didn't see my previous email. Also, the email is going to the entire partner and Lighthouse
list.

Best,

Taylor

DRAFT:

Subject: Data Security Incident

Dear Valued Partner,

I am writing to inform you of a data security incident involving a legacy
system that was acquired by CardConnect in the 2014 acquisition of
Foresight Payment Solutions.

On [Date] CardConnect became aware that an unauthorized third party
accessed a limited number of merchant accounts in the legacy Foresight
system. Upon discovery, CardConnect took immediate action to secure the
system and prevent any further unauthorized access. We also launched an
investigation, performed with assistance from a leading computer security
firm, to determine the nature and scope of the incident.

Our comprehensive investigation determined that fewer than 2,000 merchant
accounts were accessed. While no sensitive cardholder data, such as card
numbers, cardholder names, or expiration dates, was accessed, certain
merchant information, including business name, bank account and routing
numbers, and merchant identification numbers, may have been View the
accessed by the unauthorized third party.
(b) (6)
We have secured this legacy system and it is important to note.
(b) (6)

We value our relationship with you and deeply regret that this incident
occurred. Please be assured that we taking additional measures, as
appropriate, to further improve security so this will not happen again.

From:   Jared Isaacman
Sent:   Friday, July 29, 2016 1:51 PM
To: Taylor Lavery
Subject:    Re: CardConnect breach

Can we add the following "we have no reason to believe any of
this Information was misused"

Sent from my iPhone

UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF DELAWARE

CARDCONNECT, LLC,
Plaintiff,
v.
SHIFT4 PAYMENTS, LLC, et al.,
Defendants.

)
)
)
)
)
)
)
)
)
)
)

C.A. No. 1:17-cv-01582-RGA

DECLARATION OF PETER UZELAC IN SUPPORT OF
DEFENDANTS’ MOTION TO DISMISS PLAINTIFF’S COMPLAINT

I, Peter Uzelac, declare as follows:

1.  I previously worked for Defendant Shift4 Payments, LLC, formerly known as
LightSpeed Payments, LLC, (“Shift4”) from 2005 until approximately March 2018 as the
Senior Vice President of Operations. I have personal knowlcdge the facts set forth in this
Declaration, and, if called as a witness, I could and would competently testify to them.
2. On October 21, 2015, I received a call from Steve Sommers of Retriever
Payment Systems (“Retriever”), who told me that he had received a call from Randy
Templeman of Century Payments ("Century"), regarding a potential security breach on
Shift4’s system.
3. I understood the reference to a breach of Shift4’s system to mean an incident
of unauthorized access, and that malicious hackers were attempting to exploit data from the
system they purportedly accessed.
4. I emailed Randy Templeman that same day. Ex. A. In the chain of emails
between Randy Templeman, Steve Sommers, and me, I attempted to convey the urgency of

1

Case 1:17-cv-01582-RGA Document 69 Filed 05/11/18 Page 1 of 4 PageID #: 3750

the matter.
5. I did not believe that Randy Templeman of Steve Sommers was confusing a
breach with potential data exposure created by the manner in which Shift4’s tokens were
formatted: I believed that they were aware of malicious and nefarious access to Shift4’s
systems, which can allow them to decrypt PAN data.
6. Before speaking and emailing Randy Templeman on October 21, 2015, I was
already looking into the possibility of a breach of Shift4’s system because a Shift4 employee
had notified me of suspicious activity on Shift4’s network.
7. Upon my review of network logs that were provided to me, I concluded that
unauthorized activity was occurring, which could result in actual access to PAN data.
8. I suspected that the unauthorized activity was successful, and it prompted me to
email Mr. Isaacman later that same day to express my concerns.
9. Subsequent to my internal investigation and message to Jared Isaacman, I sent
another email on October 21, 2015, to Jared Isaacman, stating that “we are working on a batch
of 300k+ new tokens that have been compromised.” I knew at that time that the incident far
exceeded the token index number threshold. I did not include the full impact, because I did
not know the extent. I knew our support team discovered the unauthorized access using the
tool we had. We continued our investigation and the numbers escalated very fast.
10. In our conversation on October 22, 2015, Jared Isaacman did not convey to me
any information about the "token collision" problem that CardConnect asserts it discovered
months earlier.
11. In 2015, I was not aware that Shift4’s tokens could be reversed.
12. As known by Shift4 leadership. Shift4’s platform was originally coded, created,
and implemented by two programmers, who were no longer with the Company. Mr. Isaacman

2

Case 1:17-cv-01582-RGA Document 69 Filed 05/11/18 Page 2 of 4 PageID #: 3751
was aware that our system was built by only two programmers. In fact, Mr. Isaacman referred
to Shift4 as an organization comprised of “2 programmers and a sales guy.” I, nor anyone else
at Shift4, took any affirmative steps to conceal any information about Shif4’s systems.
13. With respect to the token collision issue, I did not investigate this purported
issue, and have no firsthand knowledge of it beyond what I have seen written in legal
documents related to this case, particularly CardConnect’s complaint.
14. To my recollection, the first time I heard about the term "token collision" was
after this lawsuit was filed.
15. I was aware that CardConnect was a reseller of Shift4 and therefore had access
to the tokens that Shift4 created.
16. As a reseller, CardConnect was free to do whatever they wanted with the
tokens that Shift4 created.
17. Based upon all of my experiences with the events materializing in October
2015, inclusive of the suspicious activity leading up to that date, internal review and analysis
of Shift4 systems, and the independent third-party forensic investigation conducted on behalf
of Shift4 during the October 2015 data breach, it is my most certain belief that CardConnect’s
statements cited in paragraphs 44 and 52 of the Complaint do not represent my, or
CardConnect’s, view of the events that transpired in the fall of 2015.
     **18. I believe those statments in the legal document were intentionaly formed to misstate the truth**
19. I believe that the activity in the fall of 2015 had nothing to do with
CardConnect's "token collision" theory.
20. After the breach in the Fall of 2015, I worked hard and closely with a qualified
security assessor, Coalfire, to remediate the systems and implement new processer [sic] to
detect and respond.

3

Case 1:17-cv-01582-RGA Document 69 Filed 05/11/18 Page 3 of 4 PageID #: 3752

21. I declare under penalty of perjury under the laws of the United States of
America that the foregoing is true and correct.

Executed on May 9.2018

,2.
Peter Uzelac

4