Herff Jones suffers payment card data breach

Graduating students from several universities in the U.S. have been reporting fraudulent transactions after using payment cards at popular cap and gown maker Herff Jones.

In the wake of the reports that started last Sunday, the company started an investigation to determine the extent of the data breach.

Senior students spot illegal card charges

The complaints continued through this week, alerting others to check their card statements for illegal charges. The issue is affecting students across the U.S. at universities in Indiana (Purdue, IU), Boston, Maryland (Towson University), Houston (UH, UHD), Illinois, Delaware, Michigan, Wisconsin, Pennsylvania (Lehigh, Misericordia), New York (Cornell), Arizona, North Carolina (Wake Forest), Florida (State University), California (Sonoma State).

Herff Jones was completely unaware of the breach until students started to complain on social media about their fraudulent charges to their payment cards.

The common denominator was that they were graduating students that had purchased commencement gear at Herff Jones. Some of them had to cancel their payment cards and dispute the fraudulent charges with the bank.

Fraudulent charges complaints after buying from Herff Jones
Senior students complain of fraudulent card activity

Apart from delivery delays, the students complained of fraudulent charges varying from a tens of U.D. dollars to thousands. While most reports mention losses between $80 and $1,200, one student stated that a friend of theirs was charged $4,000.

“Someone just bought a ps5 with my card info and I respect the hustle,” said one student. A parent chimed in saying that their “daughter and about 30 other graduates that she knows of at her school (not Purdue) have had their debit cards compromised through HJ [Herff Jones].”

One senior at Cornell University stated that they had to cancel their credit card because it had been stolen and fraudsters tried to charge $3,000 to “asics” and used it on adult content subscription service OnlyFans.

It is unclear when the breach at Herff Jones occurred but some of the earliest transactions date from the beginning of the month. Multiple students said they had purchased graduation items in April.

On May 12th, Herff Jones issued a statement acknowledging the payment card data breach and apologizing for the incident.

“We sincerely apologize to those impacted by this incident. We are working diligently to identify and notify impacted customers” - Herff Jones

The company is investigating the incident with the help of “a leading cybersecurity firm.”

Related Articles:

Japanese police create fake support scam payment cards to warn victims

MITRE says state hackers breached its network via Ivanti zero-days

CISA orders agencies impacted by Microsoft hack to mitigate risks

CISA says Sisense hack impacts critical infrastructure orgs

GHC-SCW: Ransomware gang stole health data of 533,000 people