Graduates Prime Targets For Theft After Breach
Amidst all the cards, balloons and congratulations, recent high school and college graduates received another present—the breach of credit card data used to order their caps and gowns. Supplier Herff Jones discovered the violation in mid-May as graduates flocked to large venues for the first live celebrations since 2019.
This breach is notable, but it may get overlooked in the excitement and hoopla over in-person graduations and parties now that the pandemic has eased restrictions on gatherings. That won't be true, however, for students who've already experienced fraudulent credit card charges.
Indianapolis-based Herff Jones sells the entire gamut of graduation services, including announcements, frames, jewelry and other regalia. The firm even offered virtual graduation services in 2020. Hackers lifted data for students whose universities selected Herff Jones (HJ) as their authorized graduation supplier. Cornell, Purdue, George Washington, Indiana University, Colorado, Hawaii Pacific, Houston, Illinois, Delaware, Towson, Southern California and an unknown number of other institutions were clients of HJ.
The provider gets kudos for a prompt press statement on the cap and gowns data breach issued May 12th, but five weeks have passed with no additional details provided. The company's breach statement appears inconspicuously amidst several February blog posts on the company's website.
At this writing, states that require breach notifications have not received letters from HJ since the breach. The lack of government notifications makes it impossible to guess the number of compromised accounts.
Student names, addresses, emails and phone numbers were all probably provided on order forms. These details, if leaked, could have wide-ranging consequences.
The breach came to light as eager graduation candidates experienced delays in attire deliveries and bogus credit card bills. Many took to social media to gripe as well as warn fellow grads. The data breach hit Twitter hard as students shared bad luck stories of loss and massive frustration with slow deliveries. Some did not receive their graduation attire before their event.
One Purdue student reported seeing thousands in charged airline tickets on her account. Another student lost $2,600 in charges she's now trying to claw back.
One victim wrote, "Ordering my cap & gown could have royally screwed me. Neither Herff Jones nor my college alert(ed) me. Thanks a lot!"
Strong Protections Exist
Most folks panic when they find fraudulent charges on credit or debit card statements. However, federal laws have your back in this situation. The Fair Credit Billing Act (FCRA) and the Electronic Transfer Funds Act (ETFA) significantly limit consumer losses.
There's one consequence no one could escape, however. Many students had to cancel their cards and wait a week or more for replacements to arrive—during a season of parties, celebrations, moving and finding new homes. That proved to be mighty inconvenient. Also, if students paid with a debit card instead of one for credit, the ETFA gives lending institutions up to two weeks to restore the automatically subtracted funds.
Will Another Shoe Drop?
Without a firm statement of scope, it's impossible to predict whether card numbers were the beginning and the end of the compromise. Institutions like The University of Colorado Denver sent a message of reassurance to grads.
"Graduation should be a time of celebration, not frustration. To that end, campus leadership is working closely with the vendor Herff Jones to determine the extent of the breach as it relates to our campus and will continue to actively monitor the situation going forward. At this time, we have no reason to believe that other sensitive information (such as Social Security Numbers or dates of birth) is at risk, as that data was not part of orders placed with Herff Jones," the UC Denver statement detailed.
That's still no answer regarding email addresses and phone numbers, so HJ customers should be very wary and inspect their bank statements closely until more is known. Scrutinize all random texts and emails for potential fraud. An HJ customer service team is available 9 to 9 weekdays at 855-535-1795 to deal with inquiries.
Student Breaches Unpredictable
Some breaches are easier to wrangle than others, but that doesn't apply to student data leaks. Departing students don't leave forwarding addresses. Not all graduates join the alumni association. Some drop out of sight.
It's challenging to reach former students when a data breach involves institutional records. Some institutions have formal data retention policies to limit what they store. Still, even that didn't help students, staff or former applicants at Butler University in the wake of a 2014 data loss.
"So, they have my personal info from an application from over a decade ago?" one former applicant wrote on Twitter.
Butler later revealed stolen records dated back to the 1980s, although the institution adopted a retention plan in 2009 that could have reduced records on hand. A total of163,000 individuals lost data. Social media announcements tried to reach students who didn't stay in touch, but this was an imperfect approach.
A second reason for identity concern is that many new graduates don't know much about finances or legal protections such as FCRA. Hackers love to target these individuals and exploit that inexperience.
One HJ victim commented on Facebook's "Overheard at GW" the following: "Apparently, Herff Jones had a data breach and a lot of graduating seniors' payment info was stolen. I had to cancel my credit card last week because someone tried to charge over $1000 to it, and I didn't know how this would have happened."
If your family has an IDShield family membership, dependent individuals can use that plan until age 26. If your student already landed a great job, congrats all around. Still, identity protection today could prove priceless for folks just beginning a career.
IDShield monitors dozens of data points 24/7 so your grads won't waste time checking their vital records when they should be job and house hunting. Membership makes a great celebration gift, too. When friends or relatives ask for suggestions, suggest IDS. Your kids will thank you the very next time their data gets breached.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.