Law enforcement authorities have been notified by Herff Jones and are investigating.A customer service phone line has been set up to assist institutional and individual customers on this specific issue: 855-0535-1795.Herff Jones is contacting impacted customers, and their schools, as well as working with Barnes & Noble College.Herff Jones will fulfill orders to customers with “Bill Me Later” to avoid any delays. Payment functions on the Herff Jones website have temporarily been taken down, and customers can securely place orders on the Herff Jones core sites without submitting payment information.The vendor is reinforcing existing security measures, trying to trace the origins of the hack, mitigate the impact, and eliminate unauthorized access to payment card information within their systems.Independent third-party vendor Herff Jones, based in Indianapolis, is having the issue investigated by both internal and third-party security experts.BU’s 2021 Commencement is this weekend.Ī number of steps are underway, including: The timing comes as BU, and other schools, wrap up a historic school year disrupted by the coronavirus pandemic. These include comprehensive risk assessments and security programs, certain minimum technical and administrative safeguards, and qualified personnel designated to handle information security.Herff Jones, the company that offers graduation merchandise through Barnes & Noble at BU, as well as regalia-such as class rings and yearbooks-for other colleges and universities across the country, reported this week that it was the victim of a cyberattack that compromised thousands of student customers’ personal payment credit card accounts. Putting It into Practice: Portions of the expectations set out by these two AGs mirror those in other settlements in 2022, including by the FTC and the NYDFS. *Kathryn Smith is a fellow in the firm’s Chicago office. Comply with the PCI data security standards.Īs part of the settlement, within one year of the date of the settlement agreement and then biennially for 5 years thereafter, the company is required to have a qualified and independent third-party evaluate and test the effectiveness of their information security program.Annually conduct cybersecurity awareness training for employees with key responsibilities for information security.Designate a qualified individual to being charge of program oversight who will, among other things, advise senior leadership on risks and remediation strategies.Access controls, such as multi-factor authentication, one-time passcodes, location-specific requirements, and other access enhancements.Reasonable measures to detect and respond to security incidents, such as log correlation and alerting, file and data integrity monitoring, intrusion detection and prevention tools, and a documented incident response plan.Also included are a penetration-testing program designed to identify, assess, and remediate security vulnerabilities and segmented card data environment from other areas of the company’s IT infrastructure. These include installing only approved software and using software patch management program with automated, standardized patch management distribution tools to deploy, verify, and track patches. Implement certain minimum reasonable information security safeguards designed to safeguard and protect personal information.Implement and perform annual information security risk assessments that conform to standards issued by information security organizations such as NIST, ISO 27005, and CIS RAM.The security procedures agreed upon illustrate the expectations these AGs -and likely others- have of companies’ security programs. Under the settlement, Herff Jones has agreed not only to pay $100,000 to each AG but also to implement a comprehensive written information security program within 180 days from the date of the settlement. According to the AGs, the company also did not comply with the Payment Card Industry Data Security Standards, a contractual obligation placed by credit card companies on those entities who accept credit card payments. The AGs alleged the breach of consumers’ payment card information resulted from the company’s failure to use reasonable data security measures. The case arose after Herff Jones, producer and seller of graduation goods, suffered a breach resulting in the theft and sale of customer payment card information. The New York and Pennsylvania AGs' settlement with Herff Jones from late last year provides guidance to businesses about expected security measures as we enter into 2023.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |