Bookstore Cyberattack Leaves BU’s and Other Students’ Credit Card Information Compromised
Graduation merchandise vendor Herff Jones says data breach is being investigated
Herff Jones, the company that offers graduation merchandise through Barnes & Noble at BU, as well as regalia—such as class rings and yearbooks—for other colleges and universities across the country, reported this week that it was the victim of a cyberattack that compromised thousands of student customers’ personal payment credit card accounts.
The timing comes as BU, and other schools, wrap up a historic school year disrupted by the coronavirus pandemic. BU’s 2021 Commencement is this weekend.
A number of steps are underway, including:
- Independent third-party vendor Herff Jones, based in Indianapolis, is having the issue investigated by both internal and third-party security experts.
- The vendor is reinforcing existing security measures, trying to trace the origins of the hack, mitigate the impact, and eliminate unauthorized access to payment card information within their systems.
- Payment functions on the Herff Jones website have temporarily been taken down, and customers can securely place orders on the Herff Jones core sites without submitting payment information. Herff Jones will fulfill orders to customers with “Bill Me Later” to avoid any delays.
- Herff Jones is contacting impacted customers, and their schools, as well as working with Barnes & Noble College.
- A customer service phone line has been set up to assist institutional and individual customers on this specific issue: 855-0535-1795.
- Law enforcement authorities have been notified by Herff Jones and are investigating.
The hack appears to have come to light earlier this week, when students at the University of Houston, University of Illinois, Towson University, and Purdue University began noticing suspicious activity on their credit cards. Several incidents emerged at BU, as well, when some students and parents noticed their credit cards had been compromised after ordering caps and gowns from the Herff Jones site.
“Barnes & Noble College has been notified that Herff Jones recently discovered they had been the victim of a cyberattack after receiving reports of possible fraudulent activity on student customers’ personal payment card accounts, which may have compromised customer data,” a statement from Barnes & Noble says. “We want to assure you that we are taking this situation very seriously and are working closely with Herff Jones to fully understand exactly what happened and how they are addressing the issue.”
On its website, Herff Jones has posted this statement: “We recently became aware of suspicious activity involving certain customers’ payment card information. We promptly launched an investigation and engaged a leading cybersecurity firm to assist in assessing the scope of the incident. We have taken steps to mitigate the potential impact and notified law enforcement. Herff Jones is committed to the privacy and security of its customers and we take this responsibility seriously. During the course of our investigation, which is ongoing, we identified theft of certain customers’ payment information.”
“We sincerely appreciate and apologize for the inconvenience this may have caused students and parents at a time typically reserved for celebration,” said Peter Smokowski, BU vice president for auxiliary services, on Wednesday, “and we would urge anyone who purchased academic regalia through Herff Jones to contact the company at the number above for more information. We will continue to work with Barnes & Noble and Herff Jones as their investigation progresses.”