Herff Jones has been in business for over a century, selling graduation products such as caps and gowns, class rings and yearbooks to students and their parents to help mark their educational accomplishments. On May 12, 2021, the company posted a red banner on the top of its homepage that read “HERFF JONES CYBER SECURITY INCIDENT UPDATE.” The company was the victim of a data breach that occurred between August 1, 2020, and April 30, 2021. The attackers managed to place malware on the company’s servers that was then used to capture customer payment card information. This event resulted in a litigation suit affecting thousands of students and parents from across the country.
Description
In May of 2021, students from multiple colleges in the US including Purdue University, University of Southern California, Cornell University, and others began posting on Reddit that their payment card data had been stolen. They all had one thing in common – they all made an authorized purchase from Herff Jones. Four students took the role as lead plaintiffs and on May 27th, filed a class action lawsuit in Indiana where the company is located. Each of them had made a transaction in March or April of 2021 and had unauthorized charges posted to their accounts following their purchase. These purchases ranged from $250 and $400. None of the four plaintiffs had been notified by Herff Jones about the data beach prior to the filing of the suit, nor had the company notified the State Attorney General’s office or issued any sort of press release alerting customers of the breach. Two similar suits were filed by other students as well.
Basis of the Case
A copy of the Herff Jones data breach complaint can be accessed here. The claim states that the lead plaintiffs and class members would have never conducted a transaction with their payment cards had they had known about the inadequate data security of Herff Jones. It further specifies that the intrusion could have been prevented had the Defendant remedied the deficiencies with industry recommended security measures.
Some of the other arguments of the complaint include:
- “Defendant did not use reasonable security procedures and practices appropriate to the nature of the sensitive information they were collecting, causing customers’ PII to be exposed and sold on the dark web”
- “Had Herff Jones remedied the deficiencies in its information storage and security systems, followed industry guidelines, and adopted security measures recommended by experts in the field, Herff Jones could have prevented intrusion into its information storage and security systems and, ultimately, the theft of Plaintiffs’ and Class Members’ confidential Payment Information.”
- “Herff Jones failed to safeguard Plaintiffs’ and other customer’s Payment Information and failed to inform them of the data breach until many of the customers reported a rash of fraudulent charges on their accounts after purchasing items from Herff Jones”
Call to Action
While Herff Jones has admitted no wrongdoing, they did agree to pay $4.35 million to resolve the class action suit. Details of the settlement can be found here. The settlement will benefit those whose information was compromised during the incident. All class members of the suit will receive a cash lump payment as well as additional compensation for fraudulent charges, out-of-pocket expenses, and lost labor compensation.
This breach illustrates the importance of a comprehensive and fully-implemented incident response plan (IRP). The lawsuit describes the lack of communication and effort conducted by Herff Jones. Time is of the essence for these types of incidents in which regulatory agencies and affected parties must be notified within a stated amount of time. An incident response plan provides guidance and directives that outline the actions that all should be taken by members of the organizations.
The suit sought to force Herff Jones to adapt reasonable sufficient practices to safeguard the payment information of its customers to prevent further breach incidents from occurring. Had the company performed its duty of care and established reasonable and appropriate security for their organization, the suit may have been prevented.
Start with a Duty of Care Risk Assessment (DoCRA) to understand your organization’s risk posture. This identifies areas of potential vulnerabilities and risk so you can implement reasonable controls. Check to see if your security controls are ‘reasonable’.
References:
Herff Jones Assurance of Voluntary Compliance, PA; pg.5 – DoCRA
Herff Jones Assurance of Discontinuance, NY; pg. 5 – DoCRA
Estimating Risk by Industry
HALOCK’s risk approach has been recognized in the 2024 Verizon Data Breach Investigations Report (DBIR) Estimate risk based on real threat data. Read Appendix D in the DBIR to augment your risk analysis.