CLASS ACTION COMPLAINT 1 Tina Wolfson, SBN 174806 Twolfson

Home , Creation Entertainment

1 Tina Wolfson, SBN 174806 [email protected] 2 Theodore W. Maya, SBN 223242 3 [email protected] AHDOOT & WOLFSON, PC 4 10728 Lindbrook Drive 5 Los Angeles, California 90024 Tel: (310) 474-9111 6 Fax: (310) 474-8585 7 8 Benjamin F. Johns [email protected] 9 Beena M. McDonald 10 [email protected] CHIMICLES SCHWARTZ KRINER 11 & DONALDSON-SMITH LLP 12 One Haverford Centre 361 West Lancaster Avenue 13 Haverford, PA 19041 14 Telephone: (610) 642-8500 Fax: (610) 649-3633 15 16 SUPERIOR COURT OF THE STATE OF CALIFORNIA COUNTY OF LOS ANGELES, CENTRAL DISTRICT 17

19 KYNDAL CHRISTOFFERSON, on CASE NO. behalf of herself and all others similarly 20 situated, CLASS ACTION COMPLAINT 21 1. NEGLIGENCE Plaintiff, 2. BREACH OF IMPLIED CONTRACT 22 3. VIOLATIONS OF THE MARYLAND 23 v. CONSUMER PROTECTION ACT 4. VIOLATION OF THE UCL 24 CREATION ENTERTAINMENT, 5. UNJUST ENRICHMENT 25 INC., CLASS ACTION – COMPLEX 26 Defendant. 27 JURY TRIAL DEMANDED 28

CLASS ACTION COMPLAINT 1

1 Plaintiff Kyndal Christofferson (“Plaintiff”) individually and on behalf of all 2 others similarly situated, upon personal knowledge of the facts pertaining to her and on 3 information and belief as to all other matters, by and through undersigned counsel, 4 hereby brings this Class Action Complaint against Defendant Creation Entertainment, 5 Inc. (“Creation”). 6 NATURE OF THE ACTION 7 1. Plaintiff brings this action, individually and on behalf of all others 8 similarly situated whose sensitive financial and personal non-public information, 9 including but not limited to (a) names; (b) addresses; (c) email addresses; and (d) 10 payment card information (including, inter alia, card numbers, expiration dates, and 11 security codes (“CVV numbers”)) (collectively, “Personal Information”) was accessed 12 and captured from Creation’s systems by unauthorized users during a period of time 13 that ended on or around October 2018 (the “Data Breach”). 14 2. As alleged in greater detail below, Creation is a company that produces 15 live interactive entertainment conventions for fans of genre television and film. These 16 fans can purchase tickets to Creation’s events and merchandise directly through its 17 website. 18 3. On or around March 12, 2019, through its Facebook page, Creation first 19 stated it was aware of reports of fraudulent activity on its customers’ credit cards,1 but 20 Creation was careful not to admit to the existence of a data breach and merely stated it 21 was investigating the issue. 22 4. The following day, on March 13, 2019, Creation posted a slightly more 23 detailed announcement on its website, informing customers that Creation was advised 24 by several customers of possible fraudulent debit and credit card charges to their 25 accounts. However, Creation was adamant in denying any breaches to its system, and 26 further denied any breaches reported by its debit/credit card processors. 27

28 1 https://www.facebook.com/CreationEntertainment/ (last visited: April 2, 2019). CLASS ACTION COMPLAINT 2

1 5. An update was posted on Creation’s website on March 14, 2019, asking 2 customers to contact Creation’s customer service team if they were notified of possible 3 suspicious activity on their debit and credit cards. Still without admitting a data breach, 4 Creation asked for its customers’ patience. 5 6. The truth was revealed on March 19, 2019, when Creation first publicly 6 confirmed in an announcement on its website that there was a breach of its system 7 related to transactions that occurred in and prior to October 2018. 8 7. Upon information and belief, Creation’s system was accessed by 9 unauthorized users who were able to capture customers’ Personal Information, 10 including payment card information, entered while making online purchases on 11 Creation’s website. 12 8. As alleged herein, Creation’s failure to implement or maintain adequate 13 data security measures for customers’ information, including Personal Information, 14 directly and proximately caused injuries to Plaintiff and the Class (defined below). 15 9. Creation failed to take reasonable steps to employ adequate security 16 measures or to properly protect sensitive payment Personal Information despite well- 17 publicized data breaches at large national retail chains in recent years, including 18 Marriott, Arby’s, Wendy’s, Target, Home Depot, Sally Beauty, Harbor Freight Tools, 19 P.F. Chang’s, Dairy Queen, Kmart, and many others. 20 10. The Data Breach was the inevitable result of Creation’s inadequate data 21 security measures and cavalier approach to data security. Despite the well-publicized 22 and ever-growing threat of security breaches involving payment card networks and 23 systems, and despite the fact that these types of data breaches were and are occurring 24 throughout the retail industry, Creation failed to ensure that it maintained adequate data 25 security measures, causing customers’ Personal Information to be stolen and/or 26 accessed by unauthorized users. 27 11. As a direct and proximate consequence of Creation’s negligence and/or 28 failure to implement and maintain adequate security measures, the sensitive Personal

CLASS ACTION COMPLAINT 3

1 Information of consumers was stolen from Creation. Victims of the Data Breach have 2 had their Personal Information compromised, had their privacy rights violated, been 3 exposed to the increased risk of fraud and identify theft, lost control over their personal 4 and financial information, and otherwise been injured. 5 12. Moreover, Plaintiff and Class Members have been forced to spend 6 significant time associated with, among other things, detecting and expending effort to 7 recuperate fraudulent charges on their debit and credit cards, cancelling/closing and 8 opening new credit or debit card accounts, ordering replacement cards, obtaining fraud 9 monitoring services, losing access to cash flow and credit lines, monitoring credit 10 reports and accounts, and/or other losses resulting from the unauthorized use of their 11 cards or accounts. Rather than providing meaningful assistance to consumers to help 12 deal with the fraud that has and will continue to result from the Data Breach, Creation 13 simply told them that Creation’s new system does not have any issues. In contrast to 14 what is, and has been, frequently made available to consumers in recent data breaches, 15 Creation has not offered or provided any monitoring service or fraud insurance to date. 16 13. Plaintiff and Class Members seek to recover damages caused by Creation’s 17 negligence, breach of implied contract, unjust enrichment and violations of state 18 consumer protection and data privacy statutes. Additionally, Plaintiff seeks declaratory 19 and injunctive relief as a result of the conduct of Creation discussed herein. 20 PARTIES 21 Plaintiff 22 14. Plaintiff Kyndal Christofferson is an adult residing in Millersville, 23 Maryland. 24 15. Prior to October 2018, Plaintiff Christofferson made several purchases 25 from Creation Entertainment through attendance of its promoted fan conventions since 26 2015. 27 16. On or about March 12, 2019, Plaintiff Christofferson was alerted by her 28 bank that several fraudulent charges were made and/or attempted on her debit card. She

CLASS ACTION COMPLAINT 4

1 immediately got in contact with her bank, who cancelled the debit card that she had on 2 file. Several days later, her credit card was also subject to several fraudulent charges, 3 which was cancelled as well due to suspected fraud. Even though her debit card has 4 been cancelled, her debit account continues to be subjected to attempted fraudulent 5 charges. 6 17. Then, on March 19, 2019, Plaintiff Christofferson received an email from 7 Creation Entertainment informing her that Creation Entertainment was subject to a 8 breach related to transactions that occurred in or prior to October 2018. The letter 9 further states that more detailed notices would be sent out to individual cardholders 10 whose information was potentially compromised as result. 11 18. Had Plaintiff Christofferson known that Creation Entertainment would 12 not adequately protect her sensitive payment card information, she would not have 13 allowed her Personal Information to be entrusted to Creation Entertainment. 14 19. As a result of Creation Entertainment’s failure to adequately safeguard 15 Plaintiff Christofferson’s Personal Information, Plaintiff Christofferson has been 16 injured. 17 18 Defendant Creation Entertainment, Inc. 19 20. Creation was founded on or around in 1971 and is incorporated in 20 California, with its principal place of business located at 217 S. Kenwood Street, 21 Glendale, California 91205. 22 21. Creation operates in the United States, Canada and Great Britain with an 23 annual revenue base of $4.9 million2. 24 22. Creation describes itself as producing the world’s leading conventions for 25 fans of genre television and film. It purports not to oversell its venue, unlike other 26

27 2 http://www.buzzfile.com/business/Creation-Entertainment-Inc-818-507-6423 (last visited Mar. 29, 28 2019). CLASS ACTION COMPLAINT 5

1 conventions, and, through a wide variety of ticket options, guarantees a seat in its main 2 theater for all ticket holders to see all guest appearances and attractions. 3 23. Creation is also a licensee of merchandising for many television and film 4 genres, mainly in science fiction, horror and fantasy, with some of its biggest 5 partnerships names including Star Trek, Terminator, The X-Files, Lost, Xena, The Lord 6 of the Rings, Dr. Who, Stargate, The Muppets, The CW’s Supernatural and the Twilight 7 Saga. 8 JURISDICTION AND VENUE 9 24. This is brought as a class action to remedy violations of California law by 10 Creation Creation Entertainment Inc. This Court has subject matter jurisdiction over 11 this action pursuant to the California Code of Civil Procedure. 12 25. This Court has personal jurisdiction over Creation because it meets the 13 sufficient minimum contacts of conducting substantial marketing, advertising, 14 promotion and selling of Creation events and merchandise throughout California and 15 maintains its principal place of business in this judicial district. 16 26. Venue properly lies in this district pursuant to the California Code of Civil 17 Procedure because, inter alia, Creation conducts substantial business in this district, 18 giving rise to a substantial part of the events and/or omissions of the claims. 19 FACTUAL ALLEGATIONS 20 Creation’s Privacy Statement and Safety Information to Customers 21 27. Creation’s website3 contains an entire page devoted to a “Privacy 22 Statement,” which discusses its policies to assure the protection of its visitors. 23 28. Within the “Privacy Statement” are various privacy topics listed as header 24 questions including: “How does Creation Entertainment protect visitor information?” 25 In response thereto is the description: 26 27

28 3 https://www.creationent.com (last visited: April 2, 2019). CLASS ACTION COMPLAINT 6

1 Creation Entertainment implements a variety of security measures to 2 maintain the safety of your personal information. User personal 3 information is only accessible by a limited number of employees who have 4 special access rights to such information. When you place an order we 5 offer the use of a secure server. All sensitive/credit information supplied 6 by users is transmitted via Secure Socket Layer (SSL) technology to be 7 only accessed as stated above. 8 29. Despite the foregoing assurances, however, Creation failed to adequately 9 protect Plaintiff’ and class members’ (defined below) Personal Information. 10 Creation’s Verification and Security Guarantees to Customers 11 30. Creation’ website contains a GoDaddy Verified and Secured registered 12 trademark symbol: 13 14 15 16 17 18

19 20 21 22

23 24 25

26 27

CLASS ACTION COMPLAINT 7

1 This registered trademark symbol is also on Creation’s Shopping Cart webpage4. A 2 click on the symbol populates another “Verified Secure Site by GoGaddy.com” 3 webpage: 4 5

6 7 8

9 10 11 12

13 14 15

16 17 18

19 20 21 22 31. Similar to Creation’s representations above from its website, this 23 verification states that Creation’s website is secured with a GoDaddy.com Web Server 24 Certificate and that transactions on the site are protected with up to a 256-bit Secure 25 Sockets Layer encryption. 26 27

28 4 https://tickets.creationent.com/checkout/cart/ (last visited: April 2, 2019). CLASS ACTION COMPLAINT 8

1 32. Despite the foregoing assurances, however, Creation failed to adequately 2 protect Plaintiff’ and class members’ (defined below) Personal Information. 3 4 The Data Breach 5 33. As discussed above, Creation has acknowledged that its system was 6 accessed by unauthorized users who were able to capture customers’ Personal 7 Information, including payment card information, entered on Creation’s website while 8 making online purchases. 9 34. Specifically, the notice states “We can now confirm that there was a breach 10 of our system related to transaction that occurred in and prior to October 2018.”5 11 35. Creation’s notification acknowledged the very real threat that the Data 12 Breach would result in fraudulent charges, identity theft, and other similar risks and 13 further reported, “we regret any inconvenience this matter may cause. As additional 14 information becomes available, we will share as much as we can.”6 15 36. Notably, Creation has not offered customers free credit monitoring, let 16 alone contact information for Equifax, Experian, and Transunion, as well as for the 17 Federal Trade Commission-Consumer Response Center. Creation only made a general 18 suggestion to customers to check their credit card and bank statements for any 19 fraudulent activity. Essentially, all of these steps are mandated generalities used by 20 virtually every company when publishing alerts about data security breaches; neither 21 Creation made any additional effort to mitigate or remediate the damage caused by the 22 Data Breach. 23 37. Additionally, as of latest update from Creation on March 19, 2019, the only 24 information they can offer is that the breach was related to transactions that occurred 25 prior to October 2018. 26

27 5 https://www.creationent.com/index.htm (last visited March 29, 2019). 28 6 Id. CLASS ACTION COMPLAINT 9

1 38. Based on the foregoing—and upon information and belief—Plaintiff’s and 2 the Class’ Personal Information was stolen, acquired, accessed, downloaded, and/or 3 viewed by unauthorized persons from Creation’s websites or systems. 4 39. Neither the statement on Creation’s website, nor any contemporaneous 5 statements by Creation to media outlets, gave any indication as to the magnitude of the 6 Data Breach or the number of customers affected. However, upon information and 7 belief, the Data Breach affected the large majority of individuals who are customers 8 and, in turn, users of Creation’s various business services. 9 40. Creation’s own public statements confirm that the Breach will subject 10 Plaintiff and the Class to continued, future risk of identity theft, fraudulent charges and 11 other damages. For instance, Creation stated to consumers “We do suggest that 12 everyone check their credit card or bank statements for any fraudulent activity and alert 13 their credit card companies or bank of any issues.”7 14 15 Industry Standards and the Protection of Customer Personal Information 16 41. It is well known that customer Personal Information is valuable and 17 frequently targeted by hackers. Despite the risk of a data breach and the widespread 18 publicity and industry alerts regarding the other notable data breaches, Creation failed 19 to take reasonable steps to adequately protect their computer systems from being 20 breached. 21 42. Creation is, and at all relevant times has been, aware that the Personal 22 Information they maintain is highly sensitive and could be used for nefarious purposes 23 by third parties, such as perpetrating identity theft and making fraudulent purchases. 24 43. As reflected in the screenshots above from Creation’s website, Creation’s 25 various website pages acknowledge that their customers/clients expect them to 26 adequately safeguard their customers’ Personal Information. 27

28 7 Id. CLASS ACTION COMPLAINT 10

1 44. Creation is, and at all relevant times has been, aware of the importance of 2 safeguarding customers’ Personal Information and of the foreseeable consequences that 3 would occur if their data security systems were breached. 4 45. Financial institutions and credit card processing companies have issued 5 rules and standards governing the basic measures that merchants must take to ensure 6 that consumers’ valuable data is protected. 7 46. According to the Federal Trade Commission (“FTC”), the failure to 8 employ reasonable and appropriate measures to protect against unauthorized access to 9 confidential consumer data constitutes an unfair act or practice prohibited by Section 5 10 of the Federal Trade Commission Act of 1914 (“FTC Act”), 15 U.S.C. § 45. 11 47. In 2007, the FTC published guidelines that establish reasonable data 12 security practices for businesses. The guidelines note that businesses should protect the 13 personal customer information that they keep; properly dispose of Personal Information 14 that is no longer needed; encrypt information stored on computer networks; understand 15 their network’s vulnerabilities; and implement policies for installing vendor-approved 16 patches to correct security problems. The guidelines also recommend that businesses 17 consider using an intrusion detection system to expose a breach as soon as it occurs; 18 monitor all incoming traffic for activity indicating someone may be trying to hack the 19 system; watch for large amounts of data being transmitted from the system; and have a 20 response plan ready in the event of a breach. 21 48. The FTC has also published a document, entitled “Protecting Personal 22 Information: A Guide for Business,” which highlights the importance of having a data 23 security plan, regularly assessing risks to computer systems, and implementing 24 safeguards to control such risks.8 25

27 8 FTC, Protecting Personal Information: A Guide for Business (Nov. 2011), www.stopfraudcolorado.gov/sites/default/files/bus69-protecting-personalinformation-guide- 28 business_0.pdf. CLASS ACTION COMPLAINT 11

1 49. Furthermore, the Payment Card Industry Data Security Standard (“PCI 2 DSS”) is promulgated by the Payment Card Industry Security Standards Council, and 3 consists of twelve actionable steps companies should take to secure data information. 4 The twelve steps of the PCI DSS are: 5 (1) Install and maintain a firewall configuration to protect cardholder data; 6 (2) Do not use vendor-supplied defaults for system passwords and other 7 security parameters; 8 (3) Protect stored cardholder data; 9 (4) Encrypt transmission of cardholder data across open, public networks; 10 (5) Protect all systems against malware and regularly update anti-virus 11 software or programs; 12 (6) Develop and maintain secure systems and applications; 13 (7) Restrict access to cardholder data by business need to know; 14 (8) Identify and authenticate access to system components; 15 (9) Restrict physical access to cardholder data; 16 (10) Track and monitor all access to network resources and cardholder data; 17 (11) Regularly test security systems and processes; and 18 (12) Maintain a policy that addresses information security for all personnel. 19 50. Creation knew of these standards through its participation in the payment 20 card processing networks. 21 51. As noted above, Creation should have been aware of the need to have 22 adequate data security systems in place. 23 52. Despite this, Creation failed to upgrade and maintain its data security 24 systems in a meaningful way so as to prevent data breaches. Had Creation maintained 25 their information technology (“IT”) systems and adequately protected them, they could 26 have prevented the Data Breach. 27

CLASS ACTION COMPLAINT 12

1 53. As a result of industry warnings, industry practice, and multiple well- 2 documented data breaches, Creation was alerted to, and in turn aware of, the risks 3 associated with failing to ensure that their IT systems were adequately secured. 4 54. Despite the fact that Creation was on notice of the very real possibility of 5 consumer data theft associated with its security practices, and that Creation knew or 6 should have known about the elementary infirmities associated with its security 7 systems, Creation still failed to make necessary changes to its security practices and 8 protocols. 9 55. Creation, at all times relevant to this action, had a duty to Plaintiff and 10 members of the Class to: (a) properly secure Personal Information submitted to or 11 collected on Creation’s websites and on Creation’s internal networks; (b) encrypt 12 Personal Information using industry standard methods; (c) use available technology to 13 defend its systems from well-known methods of invasion; (d) act reasonably to prevent 14 the foreseeable harms to Plaintiff and the Class, which would naturally result from 15 Personal Information theft; and (e) promptly notify customers when Creation became 16 aware of the potential that customers’ Personal Information may have been 17 compromised. 18 56. Creation negligently allowed Personal Information to be compromised by 19 failing to take reasonable steps against an obvious threat. 20 57. As a result of the events detailed herein, Plaintiff and members of the Class 21 suffered losses resulting from the Data Breach, including loss of time and money 22 resolving fraudulent charges; loss of time and money obtaining protections against 23 future identity theft; financial losses related to the purchases made at and/or through 24 Creation’s website that Plaintiff and Class members would not have made had they 25 known of Creation’s careless approach to cybersecurity; lost control over the value of 26 Personal Information; unreimbursed losses relating to fraudulent charges; losses and 27 fees relating to exceeding credit and debit card limits, balances, and bounced 28 transactions; harm resulting from damaged credit scores and information; and other

CLASS ACTION COMPLAINT 13

1 harm resulting from the unauthorized use or threat of unauthorized use of stolen card 2 Information. 3 58. Even if credit card companies may be responsible for or reimburse some 4 of the unauthorized transactions, consumers affected by the Data Breach may be liable 5 for fraudulent charges below a threshold amount. 6 59. To date, Creation does not appear to be taking any measures to assist 7 affected customers other than telling them to simply do the following: 8 • “check their credit card or bank statements for any fraudulent activity”; and 9 • “alert their credit card companies or bank of any issues.” 10 Neither of these recommendations, however, requires Creation to expend any effort to 11 protect Plaintiff’s and Class Members’ Personal Information. 12 60. Creation’s failure to adequately protect consumers’ Personal Information 13 has resulted in consumers having to undertake these tasks, which require extensive 14 amounts of time, calls, and, for many of the credit and fraud protection services, 15 payment of money—while Creation sit by and do nothing to assist those affected by the 16 Data Breach. Instead, as Creation’s announcements indicate, Creation is putting the 17 burden on the consumer to discover possible fraudulent transactions. 18 CLASS ALLEGATIONS 19 61. Plaintiff brings this action on their own behalf, and on behalf of the 20 following Class pursuant to the California Rules of Civil Procedure: 21 All persons whose Personal Information was compromised by 22 the data breach involving Creation Entertainment Inc. at various 23 time(s) in and prior to October 2018. Plaintiff reserves the right 24 to amend the class definition and add additional vendors as 25 parties. 26 62. The above class is referred to as the “Class.” Excluded from the Class are 27 Creation, their affiliates, officers, directors, assigns, successors, and the Judge(s) 28

CLASS ACTION COMPLAINT 14

1 assigned to this case. Plaintiff reserves the right to modify, change, or expand the 2 definition of the Class based on discovery and further investigation. 3 63. Numerosity: While the precise number of Class members has not yet 4 been determined, members of the Class are so numerous that their individual joinder is 5 impracticable, as the proposed Class appears to include many thousands of members 6 who are geographically dispersed. Upon information and belief, the Data Breach 7 affected people across the United States. 8 64. Typicality: Plaintiff’s claims are typical of the claims of the Class. 9 Plaintiff and all members of the Class were injured through Creation’s uniform 10 misconduct. The same event and conduct that gave rise to Plaintiff’s claims are 11 identical to those that give rise to the claims of every other Class member because 12 Plaintiff and each member of the Class had their data and Personal Information 13 compromised in the same way by the same conduct by Creation. 14 65. Adequacy: Plaintiff is an adequate representative of the Class because 15 her interests do not conflict with the interests of the Class that she seeks to represent; 16 Plaintiff has retained counsel competent and highly experienced in class action 17 litigation; and Plaintiff and her counsel intend to prosecute this action vigorously. The 18 interests of the Class will be fairly and adequately protected by Plaintiff and her counsel. 19 66. Superiority: A class action is superior to other available means of fair 20 and efficient adjudication of the claims of Plaintiff and the Class. The injury suffered 21 by each individual Class member is relatively small in comparison to the burden and 22 expense of individual prosecution of complex and expensive litigation. It would be 23 very difficult if not impossible for members of the Class individually to effectively 24 redress Creation’s wrongdoing. Even if Class members could afford such individual 25 litigation, the court system could not. Individualized litigation presents a potential for 26 inconsistent or contradictory judgments. Individualized litigation increases the delay 27 and expense to all parties, and to the court system, presented by the complex legal and 28 factual issues of the case. By contrast, the class-action device presents far fewer

CLASS ACTION COMPLAINT 15

1 management difficulties and provides the benefits of single adjudication, economy of 2 scale, and comprehensive supervision by a single court. 3 67. Existence and Predominance of Common Questions of Fact and Law: 4 Common questions of law and fact exist as to Plaintiff and all members of the Class. 5 These questions predominate over the questions affecting individual Class members. 6 These common legal and factual questions include, but are not limited to, the following: 7 • whether Creation engaged in the wrongful conduct alleged herein; 8 • whether Creation owed a duty to Plaintiff and members of the Class to 9 adequately protect their Personal Information and to provide timely and 10 accurate notice of the breach to Plaintiff and the Class, and whether they 11 breached these duties; 12 • whether Creation violated Maryland state laws—including but not limited to 13 the Maryland Consumer Protection Act and Md. Code Ann., Commercial Law 14 §13-101, et. seq., thereby breaching its duties to Plaintiff and the Class; 15 • whether Creation knew or should have known that their computer and network 16 systems were vulnerable to attack from hackers; 17 • whether Creation’s conduct, including their failure to act, resulted in or was 18 the proximate cause of the Data Breach of their computer and network systems 19 resulting in the loss of consumers’ Personal Information; 20 • whether Creation wrongfully failed to inform Plaintiff and members of the 21 Class that it did not maintain computer software and other security procedures 22 sufficient to reasonably safeguard highly-sensitive personal data; 23 • whether Creation failed to inform Plaintiff and the Class of the data breach in 24 a timely and accurate manner; 25 • whether Creation wrongfully waited to inform Plaintiff and Class members 26 that their sensitive Personal Information was exposed in the security breach; 27 • whether Creation continues to breach duties to Plaintiff and Class; 28 • whether Creation has sufficiently addressed, remedied, or protected Plaintiff

CLASS ACTION COMPLAINT 16

1 and Class members following the data breach and has taken adequate 2 preventive and precautionary measures to ensure the Plaintiff and Class 3 members will not experience further harm; 4 • whether Plaintiff and members of the Class suffered injury as a proximate 5 result of Creation’s conduct or failure to act; and 6 • whether Plaintiff and the Class are entitled to recover damages, equitable 7 relief, and other relief, and the extent of the remedies that should be afforded 8 to Plaintiff and the Class. 9 68. Creation has acted or refused to act on grounds generally applicable to 10 Plaintiff and the other members of the Class, thereby making appropriate final 11 injunctive relief and declaratory relief with respect to the Class as a whole. 12 69. Given that Creation has engaged in a common course of conduct as to 13 Plaintiff and the Class, similar or identical injuries and common law and statutory 14 violations are involved and common questions far outweigh any potential individual 15 questions. 16 70. The Class is defined in terms of objective characteristics and common 17 transactional facts; namely, the exposure of sensitive Personal Information to cyber 18 criminals due to Creation’s failure to protect this information and adequately warn the 19 Class that it was breached. Class membership will be readily ascertainable from 20 Creation’s business records. 21 71. Plaintiff reserves the right to revise the above Class definition based on 22 facts adduced in discovery. 23 COUNT I Negligence 24 (On Behalf of Plaintiff and the Class) 25 72. Plaintiff realleges and incorporates all previous allegations as though fully 26 set forth herein. 27

CLASS ACTION COMPLAINT 17

1 73. Creation obtained sensitive Personal Information from Plaintiff and Class 2 members in their provision of online retail transactions and services provided to 3 facilitate those transactions. 4 74. Creation owed a duty to Plaintiff and the Class to maintain confidentiality 5 and to exercise reasonable care in safeguarding and protecting their Personal 6 Information in Creation’s possession from being compromised by unauthorized 7 persons. This duty included, inter alia, designing, maintaining, and testing Creation’s 8 security systems to ensure that Plaintiff’s and Class members’ Personal Information was 9 adequately protected both in the process of collection and after collection. 10 75. Creation further owed a duty to Plaintiff and Class members to implement 11 processes that would detect a breach of their security system in a timely manner and to 12 timely act upon warnings and alerts. 13 76. Creation owed a duty to Plaintiff and Class members to provide security 14 consistent with industry standards and requirements and to ensure that their computer 15 systems and networks—and the personnel responsible for them—adequately protected 16 the Personal Information of Plaintiff and Class members whose confidential data 17 Creation obtained and maintained. 18 77. Creation holds itself out as an expert in legal compliance, and thus knew, 19 or should have known, of the risks inherent in collecting and storing the Personal 20 Information of Plaintiff and Class members and of the critical importance of providing 21 adequate security for that information. 22 78. Creation’s conduct created a foreseeable risk of harm to Plaintiff and 23 members of the Class. This conduct included but was not limited to Creation’s failure 24 to take the steps and opportunities to prevent and stop the Data Breach as described 25 above. Creation’s conduct also included their decisions not to comply with industry 26 standards for the safekeeping and maintenance of Plaintiff’ and Class members’ 27 Personal Information. 28

CLASS ACTION COMPLAINT 18

1 79. Creation knew or should have known that they had inadequate computer 2 systems and data security practices to safeguard such information, and Creation knew 3 or should have known that hackers were attempting to access the Personal Information 4 in databases such as Creation’s. 5 80. Creation breached the duties they owed to Plaintiff and members of the 6 Class by failing to exercise reasonable care and implement adequate security systems, 7 protocols, and practices sufficient to protect the Personal Information of Plaintiff and 8 members of the Class, as identified above. This Data Breach was a proximate cause of 9 injuries and damages suffered by Plaintiff and Class members. 10 81. As a direct and proximate result of Creation’s negligence, Plaintiff and 11 Class Members have suffered harm to their personal property by way of their sensitive 12 Personal Information—including but not limited to, their payment cards, credit profiles, 13 credit card balances, and bank accounts—being altered, depleted, reduced, 14 compromised and/or accessible by unauthorized users. As a direct and proximate result 15 of Creation’s negligence, Plaintiff and Class Members have also suffered the loss of 16 time and money resolving fraudulent charges; loss of time and money obtaining 17 protections against future identity theft; financial losses related to the purchases made 18 at and/or through Creation’s website that Plaintiff and Class members would not have 19 made had they known of Creation’s careless approach to cyber security; lost control 20 over the value of personal information; unreimbursed losses relating to fraudulent 21 charges; losses relating to exceeding credit and debit card limits and balances; harm 22 resulting from damaged credit scores and information; and other harm resulting from 23 the unauthorized use or threat of unauthorized use of stolen Personal Information, 24 entitling them to damages in an amount to be proven at trial. 25 COUNT II Breach of Implied Contract 26 (On Behalf of Plaintiff and the Class) 27 82. Plaintiff realleges and incorporates all previous allegations as though fully 28 set forth herein.

CLASS ACTION COMPLAINT 19

1 83. Plaintiff and Class members whose Personal Information is obtained by 2 Creation in connection with their provision of online retail and payment services have 3 valid, binding, and enforceable implied contracts with Creation. 4 84. Specifically, Plaintiff and Class members agreed to the release of their 5 sensitive Personal Information to Creation to be used in connection with their provision 6 of online retail and payment services. In exchange, Creation agreed, among other 7 things: (1) to provide online retail and payment services to Plaintiff and Class members; 8 (2) to take reasonable measures to protect the security and confidentiality of Plaintiff’s 9 and Class members’ Personal Information; and (3) to protect Plaintiff’s and Class 10 members’ Personal Information in compliance with federal and state laws and 11 regulations and industry standards. 12 85. Protection of Personal Information is a material term of the implied 13 contracts between Plaintiff and Class members, on the one hand, and Creation, on the 14 other hand. Plaintiff and Class members consented—implicitly or explicitly—to the 15 release of their sensitive Personal Information to Creation, in reliance on Creation’s 16 reasonable security. Had Plaintiff and Class members known that Creation would not 17 adequately protect their Personal Information, they would not have consented to their 18 Personal Information being provided to Creation. 19 86. Creation did not satisfy its promises and obligations to Plaintiff and Class 20 members under the implied contracts because it did not take reasonable measures to 21 keep Plaintiff’s and Class members’ Personal Information secure and confidential and 22 did not comply with the applicable laws, regulations, and industry standards. 23 87. Creation materially breached its implied contracts with Plaintiff and Class 24 members by failing to implement adequate data security measures. 25 88. Plaintiff and Class members fully performed their obligations under their 26 implied contracts with Creation. 27 89. Creation’s failure to satisfy its obligations led directly to the successful 28 intrusion of Creation’s computer servers and stored Personal Information and led

CLASS ACTION COMPLAINT 20

1 directly to unauthorized parties’ access and exfiltration of Plaintiff’s and Class 2 members’ sensitive Personal Information. 3 90. Creation breached these implied contracts as a result of its failure to 4 implement adequate data security measures. 5 91. Also, as a result of Creation’s failure to implement the security measures, 6 Plaintiff and Class members have suffered actual damages resulting from the theft of 7 their Personal Information and remain at imminent risk of suffering additional damages 8 in the future. 9 92. Accordingly, Plaintiff and Class members have been injured as a 10 proximate result of Creation’s breaches of implied contracts and are entitled to damages 11 and/or restitution in an amount to be proven at trial. 12 COUNT III Violations of the Maryland Consumer Protection Act (“MCPA”) 13 (On Behalf of Plaintiff and the Class) 14 93. Plaintiff realleges and incorporates all previous allegations as though fully 15 set forth herein. 16 94. Plaintiff repeats the allegations contained in the foregoing paragraphs as if 17 fully set forth herein. 18 95. Plaintiff Christofferson is a consumer within the meaning of the MCPA 19 and Md. Code Ann., Commercial Law § 13-101, et seq. 20 96. The tickets and other goods and services sold by Creation qualify as 21 consumer services within the meaning of the MCPA. 22 97. The MCPA prohibits the use of any “unfair or deceptive trade practice” in 23 the sale or lease of any consumer goods or services. 24 98. Creation violated the MCPA by, inter alia, engaging in unfair deceptive 25 acts or practices, including failing to adequately safeguard the sensitive information 26 entrusted to it by consumers and failing to timely and accurately disclose the existence 27 and extent of the breach. 28

CLASS ACTION COMPLAINT 21

1 99. As a direct and proximate cause of Creation’s violations of the MCPA, 2 Plaintiff and Class Members have suffered injury in fact and/or actual damages. Had 3 Creation advised Plaintiff that its security system was insufficiently secure such that it 4 enabled the data breach to occur, Plaintiff would not have entrusted her payment card 5 and other personal data to Creation. 6 100. Plaintiff seeks to recover and is entitled to recover damages, reasonable 7 attorneys’ fees and costs, and expert expenses as a result of Creation’s violations of the 8 MCPA. 9 COUNT IV Violation of California Unfair Competition Law, 10 Bus. & Prof. Code § 17200, et seq. 11 (On Behalf of Plaintiff and the Class) 101. Plaintiff realleges and incorporates all previous allegations as though fully 12 set forth herein. 13 102. Creation engaged in unfair, fraudulent and unlawful business practices in 14 violation of the Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, et seq. 15 (“UCL”). 16 103. Plaintiff suffered injury in fact and lost money or property as a result of 17 Creation’s alleged violations of the UCL, including without limitation the loss of 18 Plaintiff’s benefit of the bargain entailed in the implied contract between Creation and 19 her concerning security of her Personal Information. 20 104. The acts, omissions, and conduct of Creation as alleged constitute a 21 “business practice” within the meaning of the UCL. 22 105. Creation violated the unlawful prong of the UCL by violating California 23 Civil Code Sections 1798.81.5 and 1798.82, which required Creation to maintain 24 reasonable data security, and to notify California residents about the Data Breach and 25 the Personal Information compromised in a timely manner. 26 106. Creation’s acts, omissions, and conduct also violate the unfair prong of the 27 UCL because those acts, omissions, and conduct, as alleged herein, offended public 28

CLASS ACTION COMPLAINT 22

1 policy and constitute immoral, unethical, oppressive, and unscrupulous activities that 2 caused substantial injury, including to Plaintiff and other Class members. The harm 3 caused by Creation’s conduct outweighs any potential benefits attributable to such 4 conduct and there were reasonably available alternatives to further Creation’s legitimate 5 business interests, other than Creation’s conduct described herein. 6 107. Creation’s conduct also undermines California public policy — as 7 reflected in statutes like the Information Practices Act, Cal. Civ. Code § 1798 et seq., 8 and the California Customer Records Act, Cal. Civ. Code §§ 1798.81.5 and 1798.82 9 concerning customer records — which seek to protect customer data and to ensure that 10 entities that solicit or are entrusted with Personal Information utilize reasonable security 11 measures. 12 108. By failing to disclose that it does not utilize industry standard security 13 practices, which render Creation particularly vulnerable to data breaches, Creation 14 engaged in a fraudulent business practice that is likely to deceive a reasonable 15 consumer. 16 109. A reasonable person would not have agreed to disclose Personal 17 Information to Creation, or make purchases from Creation requiring such disclosures, 18 had he or she known the truth about Creation’s security procedures. By withholding 19 material information about its security practices, Creation was able to convince Plaintiff 20 and other Class members to make purchases from, and to provide and entrust their 21 Private Information to, Creation. 22 110. Creation’s failure to disclose that it does not enlist industry standard 23 security practices also constitutes an unfair business practice under the UCL. Creation’s 24 conduct is unethical, unscrupulous, and substantially injurious to Class members. 25 111. As a result of Creation’s violations of the UCL, Plaintiff and other Class 26 members are entitled to injunctive relief including, but not limited to: (1) ordering that 27 Creation utilize strong industry standard encryption algorithms to protect stored Private 28 Information; (2) ordering that Creation, consistent with industry standard practices,

CLASS ACTION COMPLAINT 23

1 engage third party security auditors/penetration testers as well as internal security 2 personnel to conduct testing, including simulated attacks, penetration tests and audits 3 on Creation’s systems on a periodic basis; (3) ordering that Creation employ adequately 4 trained security personnel, and empower them to implement adequate data security; (4) 5 ordering that Creation engage third party security auditors and internal personnel, 6 consistent with industry standard practices, to run automated security monitoring; (5) 7 ordering that Creation audit, test and train its security personnel regarding any new or 8 modified procedures; (6) ordering that Creation, consistent with industry standard 9 practices, segment Private Information by, among other things, creating firewalls and 10 access controls so that if one area of Creation’s computer system is compromised, 11 hackers cannot gain access to other portions of its systems; (7) ordering that Creation 12 purge, delete, destroy in a reasonably secure manner Private Information not necessary 13 for its provisions of services; (8); ordering that Creation, consistent with industry 14 standard practices, conduct regular database scanning and security checks; (9) ordering 15 that Creation, consistent with industry standard practices, evaluate smartphone and web 16 applications for vulnerabilities to prevent threats to drivers and other users of the Uber 17 app; (10) ordering that Creation, consistent with industry standard practices, 18 periodically conduct internal training and education to inform internal security 19 personnel how to identify and contain a breach when it occurs and what to do in 20 response to a breach; and (11) ordering Creation to meaningfully educate its customers 21 about the threats they face as a result of the loss of their Private Information to third 22 parties, as well as the steps they should take to protect themselves. 23 112. As a result of Creation’s violations of the UCL, Plaintiff and other Class 24 members have suffered injury in fact and lost money or property, as detailed above. 25 Plaintiff requests that the Court issue sufficient equitable relief to restore Class members 26 to the position they would have been in had Creation not engaged in unfair competition, 27 including by ordering restitution of all funds that Creation acquired as a result of its 28 unfair competition.

CLASS ACTION COMPLAINT 24

1 COUNT V Unjust Enrichment 2 (On Behalf of Plaintiff and the Class) 3 113. Plaintiff realleges and incorporates all previous allegations as though fully 4 set forth herein. 5 114. This claim is plead in the alternative to the above contract claim. 6 115. Plaintiff and Class Members conferred a monetary benefit upon Creation 7 in the form of monies paid for the purchase of products from Creation’s website. 8 116. Creation appreciated or had knowledge of the benefits conferred upon 9 them by Plaintiff and Class Members. Creation also benefited from the receipt of 10 Plaintiff’s and Class members’ Card Information, which was utilized to facilitate 11 payment to Creation. 12 117. The monies for products that Plaintiff and Class Members paid to Creation 13 were supposed to be used by both Creation, in part, to pay for the administrative costs 14 of reasonable data privacy and security practices and procedures. 15 118. As a result of Creation’s conduct, Plaintiff and Class Members suffered 16 actual damages in an amount equal to the difference in value between products and 17 services offered with the reasonable data privacy and security practices and procedures 18 that Plaintiff and Class Members paid for and the inadequate products and services 19 without reasonable data privacy and security practices and procedures that they 20 received. 21 119. Under principals of equity and public policy, Creation should not be 22 permitted to retain the money belonging to Plaintiff and Class Members because 23 Creation failed to implement (or adequately implement) the data privacy and security 24 practices and procedures that Plaintiff and Class Members paid for and that were 25 otherwise mandated by federal, state, and local laws, as well as industry standards and 26 public policy. 27

CLASS ACTION COMPLAINT 25

1 120. Creation should be compelled to disgorge into a common fund for the 2 benefit of Plaintiff and Class Members all unlawful or inequitable proceeds received by 3 them as a result of the conduct and data breach alleged herein. 4 PRAYER FOR RELIEF 5 Plaintiff, on behalf of herself and the Class, respectfully requests that the Court 6 grant the following relief: 7 A. Certify this case as a class action pursuant to California Rules of Civil 8 Procedure and the Civil Code of the State of California and appoint Plaintiff as Class 9 representative and her counsel as Class counsel. 10 B. Award Plaintiff and the Class appropriate monetary relief, including actual 11 damages, restitution, and disgorgement. 12 C. Award Plaintiff and the Class equitable, injunctive and declaratory relief 13 as may be appropriate. Plaintiff, on behalf of the Class, seeks appropriate injunctive 14 relief designed to ensure against the recurrence of a data breach by adopting and 15 implementing best security data practices to safeguard customers’ financial and 16 personal information, extend credit monitoring services and similar services to protect 17 against all types of identity theft, especially including card theft and fraudulent card 18 charges, and to provide elevated credit monitoring services to minor and elderly Class 19 members who are more susceptible to fraud and identity theft. 20 D. Award Plaintiff and the Class pre-judgment and post-judgment interest to 21 the maximum extent allowable. 22 E. Award Plaintiff and the Class reasonable attorneys’ fees and costs as 23 allowable. 24 /// 25 26 /// 27 28 ///

CLASS ACTION COMPLAINT 26

1 F. Award Plaintiff and the Class such other favorable relief as allowable 2 under law or at equity. 3 4 Dated: April 2, 2019 Respectfully submitted, 5

6 Tina Wolfson, SBN 174806 7 [email protected] Theodore W. Maya, SBN 223242 8 [email protected] 9 AHDOOT & WOLFSON, PC 10728 Lindbrook Drive 10 Los Angeles, California 90024 11 Tel: (310) 474-9111 Fax: (310) 474-8585 12

13 Benjamin F. Johns [email protected] 14 Beena M. McDonald 15 [email protected] CHIMICLES SCHWARTZ KRINER 16 & DONALDSON-SMITH LLP 17 One Haverford Centre 361 Lancaster Avenue 18 Haverford, PA 19041 19 (610) 642-8500 20 Counsel for Plaintiff and the Putative 21 Class 22

23 24 25

26 27

CLASS ACTION COMPLAINT 27