College Students Claim Herff Jones’ Negligence Caused Massive Data Breach Resulting in Fraudulent Charges [UPDATE]
by Erin Shaak
Last Updated on March 3, 2022
Ahn et al. v. Herff Jones, LLC
Filed: May 27, 2021 ◆§ 1:21-cv-01381
Herff Jones has been hit with a class action over a recent data breach alleged to have caused students to incur fraudulent charges on their bank accounts.
Case Updates
March 3, 2022 – Herff Jones Data Breach Class Action Settlement Receives Preliminary Approval
A settlement ending the proposed class action detailed on this page and three similar lawsuits was granted preliminary approval by Chief U.S. District Judge Tanya Walton Pratt on January 12, 2022.
The official website for the settlement is live and can be found here.
According to an 18-page order, the settlement covers all United States residents whose personal information was exposed or potentially exposed in connection with the data incident, including, but not necessarily limited to, those who were mailed a notification by Herff Jones between May 12 and June 18, 2021.
To submit a claim, head to this page and enter your unique settlement notice ID and confirmation code. If you do not have a personalized notice ID, click the option on the right to proceed. The deadline by which to file a claim is May 12, 2022. If you do not file a claim, you will receive no compensation from the settlement.
All consumers covered by the deal, i.e., “class members,” who attest that they used a debit or credit card to make a purchase from Herff Jones during the time of the data incident are eligible to receive $75, regardless of whether they experienced any fraudulent or unauthorized charges or identity theft. In the alternative, class members are eligible to receive up to $200 for time spent addressing fraudulent activity or monitoring their accounts as a result of the data breach, or up to $5,000 for “actual, documented and unreimbursed” out-of-pocket expenses incurred from the incident.
Consumers in California are eligible for an additional $100, the order adds.
According to the order, more than one million consumers used debit, credit or other payment cards to buy goods or services from Herff Jones during the data breach.
Don’t miss out on settlement news like this. Sign up for ClassAction.org’s free weekly newsletter here.
Herff Jones, LLC has been hit with a proposed class action over a recent data breach alleged to have caused students to incur fraudulent charges on their bank accounts.
The lawsuit’s four plaintiffs, graduating college seniors who rented their caps and gowns from Herff Jones in March and April 2021, claim the company’s failure to maintain adequate security procedures caused their personally identifiable information (PII), and that of potentially thousands of others, to be accessed by unauthorized parties and used in fraudulent transactions.
“Defendant did not use reasonable security procedures and practices appropriate to the nature of the sensitive information they were collecting, causing customers’ PII to be exposed and sold on the dark web,” the complaint charges, alleging that those whose information was affected in the incident face a heightened risk of identity theft and fraud.
According to the suit, students began posting on Reddit in early May that their payment card data had been stolen. The only common charges among the students appeared to be from Herff Jones, their schools’ regalia vendor, the lawsuit alleges. The case claims students at the University of Houston, Purdue University, Towson University, the University of Southern California, the University of Wisconsin at Madison, Cornell University, Boston University, the University of Illinois at Urbana-Champaign, the University of California at Davis, the State University of New York at Binghamton, and other schools have since reported that they’ve incurred fraudulent charges as a result of the apparent Herff Jones data breach.
Per the suit, news organizations began reporting around May 11 that Herff Jones admitted that “some information had been stolen,” and the defendant reportedly posted an update on its website the next day in which it stated it had become aware of “suspicious activity involving certain customers’ payment card information,” the case reads. As of the lawsuit’s filing, however, Herff Jones had yet to notify state attorneys general, issue a press release or directly inform customers of the breach, according to the complaint.
The case claims customers’ information—including names, addresses, phone numbers, email addresses, payment card information and possibly more—had been “scraped” from the defendant’s website by malware designed to collect consumers’ payment information. According to the suit, malicious actors collected from Herff Jones what’s known as the fullz, a term used among criminals to refer to a customer’s full primary account number, contact information, credit card number, CVC code and expiration date.
Herff Jones, the suit contests, has failed to heed warnings and advice issued by the FBI “about this exact type of fraud” and take the necessary steps to secure customers’ private information.
“Unfortunately,” the complaint reads, “despite all of the publicly available knowledge of the continued compromises of PII in this manner, Defendant’s approach to maintaining the privacy and security of Plaintiff’s and Class members’ PII was negligent, or, at the very least, Defendant did not maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ valuable PII.”
The plaintiffs have reported discovering fraudulent charges on their bank accounts totaling between $229.91 and $396.49 after using their payment cards to rent caps and gowns on Herff Jones’ website. The four individuals look to represent anyone whose personally identifiable information was compromised in the Herff Jones data breach, as well as state-specific subclasses of California, Indiana and New York residents.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Before commenting, please review our comment policy.