> [Redacted Name]
> Yesterday

> [Redacted]: I sent you a bunch of screen shots
> [Redacted] 9:48 AM

> [Redacted]: From my new number
> [Redacted]: 10:49 AM

> [Redacted]: I'll call you
> [Redacted]: 11:11 AM ✓

> [Redacted] You missed a call from [Redacted]
> [Redacted]: 4 11:11 AM

> [Redacted]: Just saw them. Wow
> [Redacted] 11:14 AM

> [Redacted]: What do we do?
> [Redacted]✓ : 11:14 AM

> [Redacted Name]
> Yesterday

> [Redacted]: Call legal immediately
> [Redacted] 11:14 AM ✓✓

> [Redacted]: I called [Redacted] in Israel and the
> cybersecurity consultants that did the
> report.
> [Redacted] : 11:15 AM

> [Redacted]: They are going to call me back as soon as
> they can.
> [Redacted]: 11:15 AM

> [Redacted]: [Redacted] said to also secure any devices
> that may have also had the info.
> He will call you as well.
> [Redacted]: 11:16 AM ✓✓

> [Redacted]: I am calling legal.
> [Redacted]: 11:18 AM

> [Redacted Name]
> Yesterday

> [Redacted Text Message Content Redacted]
[Redacted] 11:20 AM

>Ok
>[Redacted] 11.21 AM

>[Redacted]: Keep me posted
>[Redacted] 11:21 AM

> [Redacted]: We are on with [Redacted]
> [Redacted] 11:22 AM

> [Redacted] Okay.
> [Redacted]: 11:24 AM ✓✓

> [Redacted]:He is also calling [Redacted]
> [Redacted] 11:25 AM

> [Redacted] Cool
> [Redacted] 11:27 AM ✓

>[Redacted Name]

>[Redacted]: Just spoke with them.
>Waiting to hear back from legal
>before proceeding.
>[Redacted]: 12:33 PM

>  I just talked with them. [Redacted]
>  and [Redacted] are drafting a
>  letter now. They are on it.
> [Redacted] 1:16 PM

>Great
>[Redacted]✓ 1:21 PM

>  We are all meeting at 4
>  [Redacted] 1:22 PM

From: [Redacted]
Sent: Wednesday, [Redacted Date], [Redacted Year] 4:17 PM
To: [Redacted]
Cc: [Redacted]
Subject: [Redacted]

[Redacted Paragraph(s)]

...forwarding for your review.

[Redacted Signature Block]

...[Redacted]... discussion with Israeli cybersecurity consultant [Redacted Name] ...[Redacted]... report findings... [Redacted]... potential data breach... [Redacted]... recommendations for remediation... [Redacted]... conference call scheduled... [Redacted]...

...Meeting on [Redacted Date]... attendees: [Redacted Names]... [Redacted]... discussion regarding consultant report... [Redacted]... Israeli firm... [Redacted]... expertise in data security...[Redacted]....

...Testimony of [Redacted Name]... [Redacted]... questioning by [Redacted Attorney Name]... [Redacted]... "Did you contact any outside consultants?"... [Redacted]... "Yes, we engaged a firm in Israel specializing in..." [Redacted]...

From: Jason Thomas [mailto: Jason.a.thomas@jpmchase.com]
Sent: Friday, August 04, 2017 3:16 PM
To: Jeffery Shanahan; Maria Ciavarelli
Cc: Jeffrey Lippert; Daniel Horne; Christopher Needham; William Barry; Stephen Tefft; Jason Spangler; Michael Knorr; Michael Ames
Subject: RE: Shift update

Jeff,

I am on calls most of the day but I am available after 3:30pm EST. I will reach out to Steve T. To see
how we should navigate this issue.

I will update the deck with “In Discussion.”

Thank you,
Jason

From: Jeffery Shanahan
Sent: Friday, August 04, 2017 2:22 PM
To: Maria Ciavarelli <maria.ciavarelli@cardconnect.com>
Cc: Jeffrey Lippert; Daniel Horne ; Jason Thomas ; Christopher Needham ; William Barry ;
Stephen Tefft ; Jason Spangler ; Michael Knorr ; Michael Ames
Subject: Re: Shift update

I am available all day
When are u free?

Sent from my iPhone

On Aug 4, 2017, at 3:18 PM, Maria Ciavarelli <maria.ciavarelli@cardconnect.com> wrote:

Jeff I am available today as well to discuss. LMK when good for you.

Thx
Sent from my Sprint Samsung Galaxy S® 6.

-------- Original message --------
From: Jeffery Shanahan
Date: 8/4/17 2:17 PM (GMT-05:00)
To: Jeffrey Lippert , Daniel Horne Jason Thomas Christopher Needham ,
William Barry Stephen Tefft Jason Spangler Michael Knorr
Cc: Maria Ciavarelli Michael Ames
Subject: Re: Shift update

Spoke to jason
We should talk first

Sent from my iPhone

> On Aug 4, 2017, at 2:59 PM, Jeffrey Lippert <jlippert@firstdata.com> wrote:
>
> All,
>
>The spreadsheet from Jason, is there anything else from the group that we should be discussing with
>the broader team at JPMC and FDMS specifically around $4.

Thanks
>
> Jeff

From: Daniel Horne
Sent: Friday, August 04, 2017 1:46 PM
>To: Jason Thomas; Christopher Needham; William Barry; Stephen Tefft; Jason Spangler;
>Michael Knorr; Jeffrey Lippert
>Cc: Maria Ciavarelli; Michael Ames
>Subject: RE: Shift update

Great summary Jason, thanks for pulling together.

Dan Horne
>EVP, Finance and Accounting
>[CardConnect Logo]
>T 484.588.3285
> M 908.399.4071
>cardconnect.com

From: Jason Thomas [mailto:jason.a.thomas@jpmchase.com]
>Sent: Friday, August 04, 2017 1:45 PM
>To: Christopher Needham; William Barry; Stephen Tefft; Daniel Horne; Jason Spangler; Michael
>Knorr; Jeffrey Lippert
>Cc: Maria Ciavarelli; Michael Ames
>Subject: Shift update

Chris, Team, The attached file is the most up to date actions around the Shift 4 relationship. Please
>review and let’s plan to get on the phone to determine which areas should be discussed at next
>week’s meeting.
Please note that since this is a JPMC deck, it is considered confidential and is not to be shared with
>Shift 4.

Thank you;
>Jason A. Thomas, CTP | Finance & Business Management-Associate
>J.P. Morgan Merchant Services Treasury Services

UNITED STATES DISTRICT COURT
EASTERN DISTRICT OF PENNSYLVANIA

CARD CONNECT, LLC,

Plaintiff,
v.
Civil Action No. 17-3972
SHIFT4 PAYMENTS, LLC, et al.,

Defendants.
____________________________________/

VIDEOTAPED DEPOSITION OF
JARED ISAACMAN

Via Videoconference
March 15, 2019
Volume 1

REPORTED BY: BARBARA VROUBAY, RPR, CRR, CRC

Page 63
1 the customer contract requires two weeks of
2 testing. I mean, if the customer contract
3 requires testing, they're going to test.
4 Q (By Mr. Critchley) So would it be a problem
5 that there was one day of testing set forth in the
6 integration guides that were sent out by Shift4?
7 A. Again, the integration guide is more of an
8 example of one of many paths that could be
9 followed. The contract should -- you know,
10 should accommodate, you know, additional testing.
11 I mean, these are, you know, payment devices that
12 are in some cases 10, 15 years old. So, I mean,
13 you could expect a large number of peripherals
14 and, you know, different types of technology
15 connected to those systems.
16 So you don't want to -- again, at least
17 the way we look at it, you don't want to, you
18 know, have an expectation that it integrates
19 perfectly in, you know, one day. You know, that
20 would be rather naive.
21 Q. Okay.
22 I want to show you what we're going to
23 mark as Isaacman Exhibit 15.

Page 128
1 BY MR. CRITCHLEY:
2 Q. Have you ever heard of a company called Cyber
3 Security Consultants Israel?
4 A. No.
5 Q. Okay. Do you see the name David Levin up at
6 at the top of Exhibit 89?
7 A. I do.
8 Q. Okay. And what materials did you provide to
9 Mr. Levin concerning the analysis that you asked
10 him to do?
11 A. I'm trying to recall how many documents we
12 would have shared with him. I know there were a
13 variety of e-mails back and forth he had with our
14 team. I would say we probably provided him
15 virtually anything he needed.
16 I remember providing him with a number
17 of documents that we were able to recover from
18 backup files from Nate, as well as that were on
19 my computer.
20 I know he was working directly with a
21 variety of Shift4 employees. I know that we
22 sent him information. He was on phone calls,
23 meetings with First Data directly.
24 So I would say, you know, pretty much
25 anything he would have asked for, you know, we
Page 129
1 would have provided.
2 Q. Okay. And did you meet with him in person to
3 prepare him to give testimony in this case?
4 A. Yes.
5 Q. And how many times did you meet with him?
6 A. I don't know. I flew out to, I believe,
7 California once. And then he flew to, I think,
8 Pennsylvania once or twice.
9 Q. Okay. Did you have any meetings with him or
10 telephone calls with him to prepare him for his
11 testimony today?
12 A. Yes.
13 Q. And when did those meetings take place?
14 A. I don't know. It has been over a number of
15 months.
16 Q. And how many -- well, let me ask it this way.
17 How many hours in total have you spent with
18 Mr. Levin preparing his testimony for today?
19 A. I'm terrible with like hours and time frames
20 and all that. I mean, I don't know. I'm
21 guessing. I mean, I don't know.
22 I would just say multiple.
23 Q. Okay. I'm just going to show you an e-mail
24 string here.
25

Page 227
 Q. Did you create a copy of all of Mr. Ward's
5 hard -- of the contents of Mr. Ward's hard drive?
6 A. I don't know who created all the copies of all
7 the various images of drives and documents. I
8 know we had a lot of, you know, old backup files.
9 I mean, we engaged cybersecurity consultants. I
10 mean, there was a lot of stuff going on in order
11 to, you know, preserve and, in many cases,
12 restore documents just because there were a lot of
13 inconsistencies.
14 So just to be, you know, totally
15 clear, I don't know the level of involvement of
16 our -- of the people at Shift4, the cybersecurity
17 consultants, or anything. It was a lot of
18 chaotic document recovery going on for, you know,
19 a period of time.

Ben Isaacman: 3/22/18

Ben Isaacman
Today 1:46 PM
any chance he could be in by 7a pacific?

Kenny [Redacted]
Today, 1:46 PM
Lemme see

kenny [Redacted]
Today 1:50 PM
Do u need a full report of changes or is a
high level summary enough?

Ben Isaacman
Today 1:52 PM
high level should be enough for him

Kenny [Redacted]
Today 1:52PM
K.

Kenny [Redacted]
Tday 1:57 PM
He said Yea

Ben Isaacman
Today 1:57 PM
awesome. thanks!

    Ben Isaacman
    Today 6:14 PM
    do you have a summary from [Redacted]
    yet or know when he will have it ready?
    I'm about finished w mine from
    yesterday but wanted to wait for his.

Kenny [Redacted]
Today 6:26 PM
Yea can have it in like a half hr

Kenny [Redacted]
Today 7:28 PM
[Redacted] is working on it. He's
[Redacted]. He should have
something to me soon.

Ben Isaacman
Today 7:28 PM
    sounds good

------------------------------------------------------------------
Ben Issacman:6/30/17
------------------------------------------------------------------

[Redacted] Van নাশ:30 PM
Hey Ben, David wants to talk to
you about the vulnerability scan
really quick

Ben Isaacman
6/30/17 9:30 PM
ok with who?

[Redacted] Van
6/30/17 9:32 PM
David, the guy from cyber
security Israel

Ben Isaacman
6/30/17 9:33 PM
oh ok gotcha.

UNITED STATES DISTRICT COURT
FOR THE EASTERN DISTRICT OF PENNSYLVANIA

CARD CONNECT, LLC,
Plaintiff,

v.
SHIFT4 PAYMENTS LLC, f/k/a
LIGHTSPEED PAYMENTS, INC., et al.,
Defendants.

Civil Action No. 2:17-cv-03972-MAK

Deposition of DAVID LEVIN
June 6, 2019
Philadelphia, PA

REPORTED BY: LISA B. DINSMORE, RPR, CRR

1 APPEARANCES:
2
3 On Behalf of the Plaintiff:
4 FINEMAN, KREKSTEIN & HARRIS, P.C.
5 BY: NEIL S. WITKES, ESQUIRE
6 BRUCE G. FREEDMAN, ESQUIRE
7 1818 Market Street, Suite 3400
8 Philadelphia, PA 19103
9 (215) 893-8715
10 Fax: (215) 893-8719
11 Email: NWitkes@finemanlawfirm.com
12 BFreedman@finemanlawfirm.com
13
14 On Behalf of the Defendants:
15 LATHAM & WATKINS, LLP
16 BY: ANDREW M. CRITCHLEY, ESQUIRE (Via Polycom)
17 505 Montgomery Street, Suite 2000
18 San Francisco, CA 94111-6538
19 (415) 391-0600
20 Fax: (415) 395-8095
21 Email: andy.critchley@lw.com
22
23 LATHAM & WATKINS, LLP
24 BY: ALANA L. SHINDLER, ESQUIRE (Via Polycom)
25 555 Eleventh Street NW, Suite 1000

Page 28
1 cross-examination is the greatest
12 legal engine ever invented for the discovery
13 of truth. Now, I don't know how familiar you
14 are with Mr. Isaacman of Shift4.
15 And you are appearing here today,
16 right?
17 A. Correct. I do agree. I remember John
18 Wigmore, yes.
19 BY MR. WITKES:
20 Q. Okay. I want you take a look at what's
21 marked as Exhibit DL4 and tell me if you
22 recognize that document, please.
23 A. Yes.
24 Q. What is it?
25 A. This is a communication between myself
Page 29
1 and, looks like, Ben Isaacman and Randy Conte
2 on June 25th, 2019 -- sorry, 2018.
3 Q. And is Cybersecurity Consultants Israel
4 your company?
5 A. That's correct.
6 Q. Is that the company that at some point in
7 time was retained to do work by Shift4?
8 A. Correct.
9 Q. Are you the principal of that company?
10 A. Yes.
11 Q. Are you the only person who works for
12 that company when it's engaged to do
13 consultant work?
14 A. No.
15 Q. Who else would have worked for the
16 company during the period of time that you
17 were consulting with Shift4?
18 A. Could you repeat the question?
19 Q. Sure. During the period of time that
20 Cybersecurity Consultants was providing
21 services to Shift4, did you have individuals
22 who were working for you, other than yourself?
23 A. Yes.
24 Q. Who were they?
25 A. I am sorry. Can you state your

Page 35
5 Q. Okay. Did you receive any payments
6 directly --
7 A. Yes, I have.
8 Q. Okay. I am sorry. Let me just finish
9 the question, if I could for a second.
10 Did you receive any payments directly
11 from Shift4 as opposed to Cybersecurity
12 Consultants Israel?
13 A. No. All payments were made to
14 Cybersecurity Consultants.
15 Q. And can you, again, just tell me what
16 your anticipation as to your current hourly
17 billing?
18 A. Oh, what I currently bill hourly?
19 Q. Right.
20 A. Currently or related to this case?
21 Q. Well, let me start with this case.
22 What's your current hourly rate when it
23 relates to this case?
24 A. $500 an hour.
25 Q. And what's your -- do you have an hourly
Page 36
1 rate that you charge clients when it's
2 unrelated to a litigation matter?
3 A. Yes.
4 Q. What is that?
5 A. 500.
6 Q. Okay.
7 MR. WITKES: All right. Let's take five
8 minutes.
9 (Recess taken.)
10 MR. WITKES: We are back on the record.
11 BY MR. WITKES:
12 Q. Mr. Levin, do you have any particular
13 expertise in application security?
14 A. I don't.
15 Q. Okay. And during the course of your
16 engagement by Shift4, were you ever requested
17 to provide any analysis of any computer
18 applications?
19 A. I don't recall.
20 Q. Okay. How about any payment, PA-DSS
21 compliant applications, were you ever asked to
22 provide any opinions regarding those types of
23 applications?
24 A. No.
25 Q. And I take it then that it would follow

Page 56
2 a payment gateway like Shift4 would not keep in
3 plain text credit card numbers, would they?
4 A. They should not.
5 Q. So, for instance, on Exhibit DL15, that
6 first line that is titled "Card PAN," P-A-N,
7 that's the card number; is that correct?
8 A. Correct.
9 Q. And so what is shown in that card PAN
10 section is not the actual card number, is it?
11 A. That is a token representation of a card
12 number.
13 Q. So is Shift4 storing the actual card
14 numbers in this system?
15 A. No. Their environment is tokenized, so
16 they store tokens and they store, at times,
17 encrypted credit card numbers.
18 Q. Okay. But the actual card number in your
19 report where it says "Card PAN," that is, in
20 fact, a token; is that correct?
21 A. Correct.
22 Q. And that applies to all the other lines in
23 your report that says "Card PAN," those are all
24 tokenized numbers?
25 A. Correct.