[BreachExchange] Cap and gown company data theft exposes payment information of graduating seniors

[Destry Winant]

https://www.13newsnow.com/article/news/nation-world/herff-jones-cap-gown-graduation-payment-information-theft/507-def01040-b9b9-40da-b0a0-50dc6733806f

A company that provides caps and gowns for graduation ceremonies said
Tuesday it is apologizing after an apparent data theft exposed the payment
information of some graduating university seniors. The revelation came
after several students across the country started noticing strange bank
activity and lamented that they had not been warned their accounts might be
at risk.

The company is Indianapolis-based Herff Jones, which on its website says it
provides "class rings and jewelry, caps and gowns, yearbooks, diplomas,
frames and announcements..."

The University of Houston student newspaper, The Cougar, cited reports from
students there who have been discussing on social media what happened to
them. One student, Mariah Ochoa, told The Cougar her account ended up being
frozen. Students also alleged that neither the university nor Herff Jones
issued any statement or warning about it.

“Graduation has been such a difficult process, which leaves a lot of us
with unanswered questions. On top of that, now there’s a data breach? And
no one is notifying us?" Ochoa reportedly said.

It wasn't just Houston. A post on a Purdue University subreddit said "After
conversing with multiple seniors, we’ve (my roommates and I) come to the
conclusion that the overpriced rental cap and gown company is leaking
credit card information. To all seniors participating in commencement this
semester, watch your bank statements."

Towson University in Maryland urged students who bought a cap and gown to
monitor their accounts and credit reports, WJZ in Baltimore reported.

A Herff Jones spokesperson said in a statement that it recently became
aware of suspicious activity involving customers' payment information.

"We promptly launched an investigation and engaged a leading cybersecurity
firm to assist in assessing the scope of the incident. We have taken steps
to mitigate the potential impact and notified law enforcement," the
spokesperson said, adding that its investigation revealed that some
information had been stolen but did not specify how how many people were
affected.

"We sincerely apologize to those impacted by this incident. We are working
diligently to identify and notify impacted customers," the spokesperson
said.

The company says those impacted can contact customer service by calling
855-535-1795 between 9 a.m. and 9 p.m. EDT Monday-Friday.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210513/dc9b2479/attachment.html>