Graduating students at the University of Delaware should be celebrating their upcoming commencement, but instead, some have had their credit card information stolen after a cyberattack hit Herff Jones, the company that sells cap and gowns to a number of colleges and universities across the country.
While it's unclear how many students and families may be impacted locally and nationally by the breach, Zach Cox, a graduating senior, told WDEL he woke up one day last week to fraudulent charges on his credit card after making the cap and gown purchase for more than $105.
"It was over $1,000," Zach Cox told WDEL. "I didn't think anything of it really. I purchase gas and go out, and you never know if there's one of those [skimmer] machines on it that may swipe your card number."
Over the weekend, though, he saw similar stories spreading on UD social media, all sharing a common theme: complainants had made a recent cap and gown purchase with Herff Jones.
Cox's credit card was used unlawfully to make an online purchase at Fashion Nova, a website, where he said he's never shopped. Others have reported their cards were used to make purchases elsewhere.
"I was a little upset with the bank because, number one, I haven't bought from Fashion Nova before. Number two, I don't shop at three in the morning when the charge was there, so I was a bit curious why they allowed any charge to go through when just a few weeks ago, I was buying parts for a new computer from Best Buy, and they were blocking those charges," he said.
Since it happened, Cox said he's received no information from the Indiana-based company directly regarding the data breach or from the university. He noted he's reached out to the university's commencement email as well as the attorney general's office.
"I want people to know what is happening and keep an eye on their account because if it's not this week, that number, your credit card information is out there, and it may not be this year or next year, but if you don't get a new card, that information can still be stolen at any time," said Cox. "I can handle the inconveniences on my end. I understand we live in a time and day where this stuff happens, but I want Herff Jones to be very transparent about what happened, how it happened, why it happened, and what they're going to do to prevent it from happening...this is a major graduation company."
But University of Delaware spokeswoman Andrea Boyle told WDEL Herff Jones sent the school an update regarding "possible fraudulent activity" related to purchases made on the Herff Jones website, noting it had been hit by a cyber-attack. She said the school's bookstore has been fielding questions on the matter.
"Herff Jones has become aware that we have been the victim of a cyber-attack and that there are reports of possible fraudulent activity on customers’ personal payment card accounts. We take any situation which could compromise customer data very seriously. This incident is being thoroughly investigated by our internal and third-party security experts, who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact as well as determine its origins. We have hardened our system and eliminated unauthorized access to payment card information within our systems. We are also working with the appropriate authorities and law enforcement to gather as much information as we can," the Herff Jones communication said.
While we know that the timing is less than ideal and may cause concern from your students and families, out of an abundance of caution, the payment functions on each of Herff Jones’ webpages have been temporarily taken down as part of this investigation.
Going forward, the company said it will invoice customers, purchasing cap and gowns, by utilizing a "bill me later" step. The company further apologized to customers in the communication sent to UD.
"We sincerely apologize to those impacted. We are working diligently to determine which individuals were impacted, and when we have that information, rest assured we will contact those individual customers in a timely manner," the Herff Jones communication said.
Boyle could not estimate how many UD students may be impacted by the breach.
Students are urged to monitor their payment card account statements and credit reports for any unauthorized activity and report it immediately to their financial institution.
Anyone who may have been impacted by the breach can call Herff Jones at 855.535.1795 between 9 a.m. and 9 p.m. EST Monday through Friday.