Attorney General James Secures $200,000 from Student Cap and Gown Producer Herff Jones for Data Breach | New York State Attorney General
Attorney General James Secures $200,000 from Student Cap and Gown Producer Herff Jones for Data Breach
Herff Jones Must Strengthen Data Security Measures to Protect Consumers
NEW YORK – New York Attorney General Letitia James today secured $200,000 from student cap and gown producer, Herff Jones, for failing to protect consumers’ personal information. In April 2021, a data breach exposed the credit card information of thousands of Herff Jones consumers, including more than 40,000 New Yorkers, the majority of whom were students. An investigation by the Office of the Attorney General (OAG) and the Pennsylvania Attorney General’s office revealed that Herff Jones failed to properly employ reasonable data security measures to protect consumers’ information at the time of the breach. As a result of today’s agreement, Herff Jones must pay a $200,000 penalty both to New York and Pennsylvania and strengthen its online data security.
“Herff Jones turned milestones into mayhem for thousands of students whose personal information was stolen online because of poor data security measures,” said Attorney General James. “Consumers who bought class rings and other graduation tokens had their personal information end up in the wrong hands. Companies have an obligation to prioritize their customers’ digital data safety and this agreement will require Herff Jones to strengthen its data security measures. I thank Pennsylvania Attorney General Shapiro for his collaboration in this effort.”
“Protecting Pennsylvanians’ personal information and financial data is a key priority of my office,” said Pennsylvania Attorney General Josh Shapiro. “Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office in court. The terms of today’s settlement will help Herff Jones graduate to better protection of consumers’ personal information.”
Herff Jones is a producer and seller of yearbooks, class rings, caps and gowns, and other graduation memorabilia. In April 2021, the company was notified by one of its payment processors that a number of cards tracing back to Herff Jones were found on three different websites known to sell stolen payment card data. A forensic investigation revealed that on December 15, 2020, an unknown hacker exploited a vulnerability in Herff Jones’ web servers that allowed the hacker to steal over 206,000 customers’ payment card information and other personal information, of which 49,228 were New York residents.
Herff Jones told its customers that it maintained administrative, technical, and physical security measures to protect against the loss, misuse, and/or alteration of their information. However, the OAG investigation discovered that Herff Jones was not in compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirements. As a result of today’s agreement, Herff Jones must pay a $200,000 penalty, which will be divided between New York and Pennsylvania. Today’s agreement also requires Herff Jones to strengthen and maintain reasonable security policies to protect consumers’ personal information.
This agreement is the latest in Attorney General James’ ongoing efforts to protect consumers and hold companies accountable for poor or misleading data security measures. In November, Attorney General James and a multistate coalition obtained a record $391.5 million from Google for misleading millions of users about their location data tracking. In October, Attorney General James secured $1.9 million from e-commerce SHEIN owner for failing to protect consumers’ data. In June, Attorney General James recovered $1.25 million for consumers affected by Carnival cruise line’s data breach.
This case was handled by Assistant Attorney General Jina John and Deputy Bureau Chief Clark Russell, under the supervision of the Bureau of Internet and Technology’s Bureau Chief Kim Berger. The Bureau of Internet and Technology is overseen by Chief Deputy Attorney General for Economic Justice Chris D’Angelo and First Deputy Attorney General Jennifer Levy.
Herff Jones Must Strengthen Data Security Measures to Protect Consumers
NEW YORK – New York Attorney General Letitia James today secured $200,000 from student cap and gown producer, Herff Jones, for failing to protect consumers’ personal information. In April 2021, a data breach exposed the credit card information of thousands of Herff Jones consumers, including more than 40,000 New Yorkers, the majority of whom were students. An investigation by the Office of the Attorney General (OAG) and the Pennsylvania Attorney General’s office revealed that Herff Jones failed to properly employ reasonable data security measures to protect consumers’ information at the time of the breach. As a result of today’s agreement, Herff Jones must pay a $200,000 penalty both to New York and Pennsylvania and strengthen its online data security.
“Herff Jones turned milestones into mayhem for thousands of students whose personal information was stolen online because of poor data security measures,” said Attorney General James. “Consumers who bought class rings and other graduation tokens had their personal information end up in the wrong hands. Companies have an obligation to prioritize their customers’ digital data safety and this agreement will require Herff Jones to strengthen its data security measures. I thank Pennsylvania Attorney General Shapiro for his collaboration in this effort.”
“Protecting Pennsylvanians’ personal information and financial data is a key priority of my office,” said Pennsylvania Attorney General Josh Shapiro. “Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office in court. The terms of today’s settlement will help Herff Jones graduate to better protection of consumers’ personal information.”
Herff Jones is a producer and seller of yearbooks, class rings, caps and gowns, and other graduation memorabilia. In April 2021, the company was notified by one of its payment processors that a number of cards tracing back to Herff Jones were found on three different websites known to sell stolen payment card data. A forensic investigation revealed that on December 15, 2020, an unknown hacker exploited a vulnerability in Herff Jones’ web servers that allowed the hacker to steal over 206,000 customers’ payment card information and other personal information, of which 49,228 were New York residents.
Herff Jones told its customers that it maintained administrative, technical, and physical security measures to protect against the loss, misuse, and/or alteration of their information. However, the OAG investigation discovered that Herff Jones was not in compliance with the Payment Card Industry Data Security Standard (PCI DSS) requirements. As a result of today’s agreement, Herff Jones must pay a $200,000 penalty, which will be divided between New York and Pennsylvania. Today’s agreement also requires Herff Jones to strengthen and maintain reasonable security policies to protect consumers’ personal information.
This agreement is the latest in Attorney General James’ ongoing efforts to protect consumers and hold companies accountable for poor or misleading data security measures. In November, Attorney General James and a multistate coalition obtained a record $391.5 million from Google for misleading millions of users about their location data tracking. In October, Attorney General James secured $1.9 million from e-commerce SHEIN owner for failing to protect consumers’ data. In June, Attorney General James recovered $1.25 million for consumers affected by Carnival cruise line’s data breach.
This case was handled by Assistant Attorney General Jina John and Deputy Bureau Chief Clark Russell, under the supervision of the Bureau of Internet and Technology’s Bureau Chief Kim Berger. The Bureau of Internet and Technology is overseen by Chief Deputy Attorney General for Economic Justice Chris D’Angelo and First Deputy Attorney General Jennifer Levy.