MATTRESS FIRM. 10201 S. Main Street I , 77025 I 713 .923.1090

January 3, 2018

Via Email ([email protected])

Maryland Attorney General Brian E. Frosh Office of the Attorney General 200 St. Paul Place Baltimore, MD 21202

Re: Notice Pursuant to Maryland Code, Comm. Law§ 14-3504

Dear Attorney General Frosh:

Pursuant to Maryland Code, Comm. Law § 14-3504, on behalf of Mattress Firm, Inc. (the "Company"), I am hereby to notifying you of an incident that may have resulted in the disclosure of personal information of a Maryland resident.

On November 14, 2017, the Company received reports that some of its employees had not received their paychecks via direct deposit. In looking into the matter, the Company became aware of an incident that resulted in unauthorized access to the Company's human resources information system ( our "HR Information System"). The unauthorized access resulted from a "phishing" e­ mail that was sent to users on the Company's e-mail domain on or about November 9, 2017. The "phishing" e-mail contained a link to a third-party website that misled users into providing their network login and password credentials. The Company believes that an unknown party then used these harvested credentials to gain access to the compromised users' accounts on our HR Infonnation System, where personal inf01mation (e.g., name, social security number and bank account number) is viewable. Our investigation into the matter also revealed that an unknown party changed the direct deposit account info1mation of some of the users that had provided their credentials so that their pay was re-directed to an unauthorized bank account. The Company believes that only one (1) resident of the State of Maryland was affected by this incident.

The Company does not believe any unauthorized access to our HR Information System remains as a result of the above-described incident. On November 9, 2017, the Company, among other things, (i) notified all Mattress Firm e-mail users of the suspect e-mail, (ii) removed the suspect e-mail from the Company's e-mail servers, and (iii) blocked access to the suspect host domain from the Company's network. Furthe1more, on November 14, 2017, after first learning of the unauthorized access to our HR Information System, the Company disabled external access to our HR Information System, and only restored such access, on November 15, 2017, following a mandatory, on-site password reset for all network users. The Company now requires two-factor authentication to access the HR Information System and for certain external access to the Company's network. Even though the Company informally notified the Maryland resident about the above­ described access on or about November 14, 2017 during its investigation of the incident and again on November 15, 2017 in connection with the mandatory password reset, the Company intends to send the attached formal notice to the resident on or about January 3, 2018.

Should you have any questions about this matter, please do not hesitate to contact me directly by phone (346.718.5332) or email ([email protected]). Thank you for your attention to this matter.

Sincerely,

Mattress Firm, Inc. ~~~1/L~ Daria M. Russell Vice President and Senior Counsel MATTRESSFIRMa 10 201 S. Main Street I Houst on, Texas 77025 I 713.923.1 090

Via Email - [MATTRESS FIRM EMAIL ADDRESS]

[DATE] [FIRST NAME] [LAST NAME] [LINE 1] [LINE2] [CITY], [STATE] [ZIP]

NOTICE

Mattress Film, Inc. ("we," "Mattress Fi1m," or the "Company") is writing to inform you of an incident that resulted, or may have resulted, in unauthorized access to your personal information.

On November 9, 2017, a "phishing" e-mail was sent to users on the Mattress Firm e-mail domam which contained a link to a third-paiiy website. The website misled Mattress Firm e-mail users into disclosing their network login and password credentials while visiting the site. We believe that an unknown party then used these harvested credentials to gain access to individual accounts on our human resources rnformation system (our "HR Information System"), where personal information ( e.g. name, social security number and bank account number) is viewable. We also believe that an unknown party, using harvested credentials, also altered some users' direct deposit account rnformation so that their pay was re-directed to an unauthorized bank account.

As you are aware, you are one of the users that opened the "phishing email" and mistakenly entered your login and password credentials into the third-party website. As a result, we believe that a11 unknown party may have been able to gain access to your individual account on our HR Inf01mation System and view your personal information.

Even though we have taken steps to contain the "phishing email" and do not believe that any unauthorized access to our HR Information System remains as a result of the above-described incident, we cannot advise or promise you that the unauthorized use, if any, of your personal rnformation has stopped. Based on the malicious activity we discovered during our investigation (i.e. direct deposit theft), we have reason to believe that your personal infmmation may be compromised and used for malicious purposes such as identify theft. As a result, we believe you should take immediate steps to protect your personal information and remain vigilant in monitoring its usage. You may obtain information regarding identity theft and freezing your credit report from the following sources:

CREDIT REPORTING AGENCY CONTACT INFORMATION EXPERIAN TRANS UNION EQUIFAX 1-888-397-3742 1-800-680-7289 1-800-525-6285 www.exQerian.com www.transunion.com www.eguifax.com P.O. Box 4500 P.O. Box 2000 P.O. Box 740241 Allen, TX 75013 Chester, PA 19016 , GA 30374

FEDERAL TRADE COMMISSION CONTACT INFORMATION Phone: 1-877-438-4338 Address: 600 Pennsylvania Ave, NW, , DC 20580

Website: www.ftc.gov/idtheft

MARYLAND ATTORNEY GENERAL CONSUMER PROTECTION DIVISION Phone: 1-888-743-0023

Address: 200 St. Paul Place, Baltimore, MD 21202

Website: www.oag.state.md.us

Should you have any questions or need further information about this notice, please contact the Legal Department at [email protected] or (346) 718-5332.