WASHINGTON—The Federal Trade Commission is taking action against education technology provider Chegg Inc. for what it called “lax data security practices” that exposed sensitive information about millions of its customers and employees, including Social Security numbers, email addresses and passwords.
Chegg allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017. The FTC’s proposed order requires the company to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.
According to the FTC, the California-based company sells educational products and services targeted to high school and college students, including online tutoring and a college scholarship search service. Chegg collects a variety of personal information about its users.
“For example, as part of its scholarship search service, Chegg has collected information about users’ religious denominations, heritage, dates of birth, sexual orientation, and disabilities. It also has collected and stored sensitive personal information about its employees, including dates of birth, Social Security numbers, and financial and medical data,” the FTC said.
Numerous Breaches
In a complaint, the FTC alleged Chegg failed to protect the personal information it has collected from its users and employees. As a result, the company experienced four data breaches that exposed that personal information. Those breaches include:
- September 2017, when multiple Chegg employees fell for a phishing attack that allowed a hacker to gain access to employees’ direct deposit information.
- Less than a year later, a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party cloud databases containing personal information of approximately 40-million customers. The exposed personal information included names, email addresses, passwords, and for certain users, sensitive scholarship data such as dates of birth, parents’ income range, sexual orientation, and disabilities, the FTC said.
- In the next two years, Chegg experienced two more data breaches involving phishing attacks that successfully targeted Chegg employees. These attacks exposed sensitive data about Chegg’s employees including medical and financial information.
Poor Practices
The FTC’s complaint alleges that these data breaches stemmed from Chegg’s poor data security practices, which included:
- Failing to implement basic security measures. The FTC alleged that despite its promises, Chegg failed to use “commercially reasonable security measures” to protect personal information it collected and stored. “For example, at various times throughout the relevant time period, it did not require employees to use multifactor authentication measures to log into its third-party databases, allowed employees and contractors to use a single login to access those databases, and failed to monitor its network and databases for threats.”
- Storing information insecurely. Chegg stored personal data on its cloud storage databases in plain text and used until at least 2018 outdated and weak encryption to protect user passwords.
- Failing to Develop Adequate Security Policies and Training. Even after experiencing three phishing attacks, the company failed to provide adequate security training to employees and contractors and implement a written security policy until January 2021.
Data for Sale
As a result of these failures, some of the data about Chegg’s 40 million customers stolen by its former contractor was later found for sale online, according to the FTC.
Chegg’s failure to protect its employees’ medical and financial data was particularly problematic since this information is valuable on the open market and is used to commit identity theft and fraud, according to the complaint.
The Very Best in CU Reporting. Every Morning. At a Price Every CFO Will Love
Don’t forget to check your Spam/Junk email folder if you haven’t been receiving your free, popular and daily CUToday.info news headlines.
And if you haven’t yet signed up for the new email solution on which CUToday.info has partnered with ResponseGenius, you can do so here. Signing up requires less than one minute of your time.
CUToday.info has received very positive response from readers following the move to an improved provider of the daily headlines, but many also noted they did need to go to their Spam/Junk folder and mark it as safe.
The new email solution has not only improved every reader’s delivery experience, but it also features a fresh, new format that is easy to read, especially on mobile devices.
Please note and/or make your IT department or email administrator aware the emails will be coming from the domains CUTodayinfo.com and CUTodayinfoReply.com.