Indianapolis-based Herff Jones is facing three lawsuits from college students and their parents who say they were hit with fraudulent credit- and debit-card charges after using those cards to order caps, gowns and other graduation gear from the company’s website.
Herff Jones—a 101-year-old company that sells graduation garb, class rings, yearbooks and other products for schools, churches, sports teams and corporations—disclosed on its website May 12 what the company described as a “cyber security incident” that resulted in the “theft of certain customers’ payment information.”
As a result of the incident, three lawsuits with a total of seven plaintiffs have been filed to date by Herff Jones customers. All the suits were filed last month in U.S. District Court for the Southern District of Indiana. The plaintiffs are seeking class-action status for their complaints, citing the data breach’s thousands of potential victims from schools around the country—including both Purdue University and Indiana University.
More than 8,500 graduates attended in-person graduation ceremonies this year at one of IU’s campuses, IU spokesman Chuck Carney told IBJ. The school has used Herff Jones as its vendor for graduation products for decades, Carney said, and the company is the sole provider of IU-branded graduation items such as undergraduate stoles and doctoral-level gowns.
Some IU students contacted the school with concerns about the data breach, Carney said, but those students were referred to Herff Jones and the school did not keep a tally of the queries.
Likewise, Purdue spokesman Tim Doty said Purdue referred data-breach questions to Herff Jones, and he said he didn’t believe anyone at the school kept track of how many queries it received.
Doty said 5,704 Purdue students participated in in-person graduation ceremonies this year. “We do require the use of Herff Jones, as we use custom gowns for our ceremonies,” Doty told IBJ via email.
Herff Jones ranked 12th on IBJ’s 2020 list of largest Indianapolis-area employers, with 450 employees locally and 1,550 company-wide. The company is a division of Dallas-based Varsity Brands, which itself is owned by investment firm Bain Capital.
Herff Jones declined to answer IBJ’s questions about the data breach, instead responding via email with the following statement:
“Herff Jones is investigating suspicious activity involving certain customers’ payment card information. We have engaged a leading cybersecurity firm to assist in assessing the scope of the incident, notified law enforcement and taken steps to mitigate the potential impact. This includes a partnership with PayPal, which provides customers with a more secure way to make payments immediately and a dedicated customer service line (855-535-1795) set up to address questions related to the incident.
“Our investigation is ongoing and we are working diligently to identify and notify potentially impacted customers. Herff Jones is committed to the privacy and security of its customers and we take this responsibility seriously.”
The lawsuits filed last month all make similar allegations: Plaintiffs ordered graduation products from Herff Jones, and shortly thereafter saw unauthorized charges show up on the cards they had used with Herff Jones.
Plaintiffs Angela Garrett of Illinois and Crysta Garner of California filed their suit on May 25. Their attorney, Jeffrey Goldenberg of Goldenberg Schneider LPA in Cincinnati, did not respond to IBJ’s email and phone messages seeking comment.
The suit alleges that, on April 15, Garrett used a debit card to purchase from Herff Jones a cap and gown, graduation announcements and other items related to her May 23 graduation from Harold Washington College in Chicago. Then, on May 9, Garrett saw 10 unauthorized transactions on her debit card totaling $627, all under the name “Changi Recommends Singapore.”
Garrett, the suit says, “was looking forward to graduating from college along with the sense of accomplishment that comes with such a major life achievement, but was subjected to persistent worrying and distress because the funds in her account were substantially depleted due to the data breach.”
The other plaintiff in this suit, Garner, used a credit card to purchase items from Herff Jones for her daughter’s upcoming graduation from Mount San Antonio College in Walnut, California. On May 8, Garner discovered fraudulent purchase activity on the credit card, the suit says. The suit does not say when Garner made the Herff Jones purchases or what she purchased, nor does it give details about the fraudulent purchases.
The suit also alleges that Herff Jones did not disclose the data breach to either of the plaintiffs in a timely fashion.
Garner and Garrett are seeking damages in an unspecified amount, along with financial restitution, attorney’s fees and other expenses. The plaintiffs are also asking the court to order Herff Jones to disclose the nature of the information that has been compromised, adopt “reasonably sufficient security practices and safeguards” to prevent future breaches, and provide the plaintiffs with lifetime identity-theft protection services.
Two more suits
Plaintiffs in the other two lawsuits are represented by attorney Gary Klinger of the Chicago firm Mason Lietz and Klinger LLP. Klinger declined to comment when contacted by IBJ.
One of the suits Klinger is handling includes four plaintiffs: Justin Ahn of Tompkins County, New York; Kevin Bersch of New Jersey, who lives in Tippecanoe County, Indiana; Leighton Blackwood, a resident of Broome County, New York; and Kristin Walker, a resident of Los Angeles County, California.
This complaint describes similar experiences for all four plaintiffs.
Ahn visited Herff Jones’ website on April 13 to rent a cap and gown, and on May 13 discovered a fraudulent charge on that card, the suit alleges.
Bersch visited Herff Jones’ website to rent a cap and gown on March 27, then saw 12 unauthorized purchases May 5-20 totaling $396 on the card he used, the suit alleges.
Blackwood rented a cap and gown from Herff Jones’ website on April 15, and on May 11 two unauthorized purchases totaling $255 showed up on the credit card, the suit alleges.
Kristin Walker placed a cap-and-gown rental order on Herff Jones’ website on March 31, and saw six unauthorized purchases totaling $230 on her card May 5-6, the suit alleges.
None of the four plaintiffs had been directly notified by Herff Jones about the data breach as of May 27, when they filed their lawsuit, the complaint says.
The third suit involves a single plaintiff: Connie Quintana of Fillmore, California.
Quintana ordered $354 worth of merchandise—a cap, gown and other graduation-related items—from Herff Jones’ website on April 4 in advance of her May graduation from California State University at Chico, according to a document filed along with her legal complaint.
Then, on May 13, at least three fraudulent charges showed up on the card Quintana had used on the Herff Jones website, the suit alleges. The charges—one for $100 and two for $4.99 each—were for transactions identified as purchases at steamgames.com, a video-game site.
As of May 26, the date on which Quintana filed her suit, Herff Jones had still not directly notified the affected victims of the data breach, the suit claims.
“There is a strong probability that entire batches of stolen payment card information have been dumped on the black market or are yet to be dumped on the black market, meaning plaintiff and class members are at an increased risk of fraud for many years into the future,” Quintana’s complaint says.
Security breaches are fairly common. According to a database maintained by the Indiana Attorney General, there have been thousands of such breaches in the past several years. In 2020, for instance, the Attorney General’s Office received information on 1,084 reported breaches. So far this year, 717 reports have come in.
Many of the reported breaches involve only a handful of Indiana residents, but some affect many more. Since the beginning of last year, for instance, entities have reported 29 separate breaches affecting at least 5,000 Hoosiers.
Aaron Pritz, co-founder and CEO of Carmel-based cybersecurity, privacy and risk-management firm Reveal Risk, said there can be a significant gap between when a breach occurs and when it’s reported, because sometimes it takes a while for a company to discover a breach.
Pritz said he advises his clients to identify their biggest areas of risk, then come up with strategies to help mitigate those risks. “If you don’t prioritize that and figure out how to focus, it’s going to be a never-ending battle … the bad guys are always getting sharper.”
Reveal Risk is not involved in the Herff Jones case, and Pritz said it’s impossible to know from the outside exactly what happened in this situation. He pointed out that the complaint in a civil suit represents only the plaintiff’s point of view.
“There’s always more to the story,” he said.
As of Tuesday, Herff Jones had not filed its legal response to any of the three lawsuits.•