2 minute read
[New] TOBACCO COMPANIES ARE TARGETING AG James secures $200K from Herff Jones for data breach
![[New] Harrison PD Santa and helpers visit CPW’s United Preschool Center](https://assets.isu.pub/document-structure/221222195239-b11d0bba74345a51bbdf020493864f55/v1/652754cc02ed909047e563415cd6e808.jpeg)
New York Attorney General Letitia James secured on Friday $200,000 from student cap and gown producer, Herff Jones, for failing to protect consumers’ personal information. In April 2021, a data breach exposed the credit card information of thousands of Herff Jones consumers, including more than 40,000 New Yorkers, the majority of whom were students. An investigation by the Office of the Attorney General, OAG, and the Pennsylvania Attorney General’s office revealed that Herff Jones failed to properly employ reasonable data security measures to protect consumers’ information at the time of the breach. As a result of Friday’s agreement, Herff Jones must pay a $200,000 penalty both to New York and Pennsylvania and strengthen its online data security.
“Herff Jones turned milestones into mayhem for thousands of students whose personal information was stolen online because of poor data security measures,” said James. “Consumers who bought class rings and other graduation tokens had their personal information end up in the wrong hands. Companies have an obligation to prioritize their customers’ digital data safety and this agreement will require Herff Jones to strengthen its data security measures. I thank Pennsylvania Attorney General Shapiro for his collaboration in this effort.”
Advertisement
“Protecting Pennsylvanians’ personal information and financial data is a key priority of my office,” said Pennsylvania Attorney General Josh Shapiro. “Every corporation that does business in Pennsylvania needs to stay alert and protect their customer’s personal data or they will have to answer to my office in court. The terms of today’s settlement will help Herff Jones graduate to better protection of consumers’ personal information.”
Herff Jones is a producer and seller of yearbooks, class rings, caps and gowns, and other graduation memorabilia. In April 2021, the company was notified by one of its payment processors that a number of cards tracing back to Herff Jones were found on three different websites known to sell stolen payment card data. A forensic investigation revealed that on Dec. 15, 2020, an unknown hacker exploited a vulnerability in Herff Jones’ web servers that allowed the hacker to steal more than 206,000 customers’ payment card information and other personal information, of which 49,228 were New York residents.
Herff Jones told its customers that it maintained administrative, technical, and physical security measures to protect against the loss, misuse, and/or alteration of their information. However, the OAG investigation discovered that Herff Jones was not in compliance with the Payment Card Industry Data Security Standard, PCI DSS, requirements.
This agreement is the latest in James’ ongoing efforts to protect consumers and hold companies accountable for poor or misleading data security measures. In November, James and a multistate coalition obtained a record $391.5 million from Google for misleading millions of users about their location data tracking. In October, she secured $1.9 million from e-commerce SHEIN owner for failing to protect consumers’ data. In June, James also recovered $1.25 million for consumers affected by Carnival cruise line’s data breach.
