EXECUTIVE SUMMARY:
Since 2017, the education technology company known as Chegg has experienced four data breaches, exposing the sensitive information of tens of millions of employees and customers. Now, the U.S. Federal Trade Commission is suing.
The company has been accused of ‘careless’ data security policies and practices. “Chegg took shortcuts with millions of students’ sensitive information,” according to Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
What is Chegg?
The California-based education tech company sells products and services to high school and college students. In some cases, the company relies on students’ personal information to provide appropriately targeted offerings.
For example, as part of the company’s scholarship search service, Chegg has collected data pertaining to religious denominations, heritage, dates of birth, parents’ income range and disabilities, among other things.
FTC complaint
The official FTC complaint contends that these four data breaches occurred due to poor data security practices. The company allegedly failed to pursue basic security measures, such as multi-factor authentication, use of Single Sign-On (SSO) for compromised databases, and malicious activity monitoring. 
Chegg is also accused of improperly storing employees’ and customers’ personal information along with failing to offer workers phishing awareness training.
“Chegg’s failure to protect its employees’ medical and financial data was particularly problematic, since this information is valuable on the open market and is used to commit identity theft and fraud,” noted the FTC.
4 data breaches, 3 years
- In September of 2017, an initial data breach occurred following a phishing attack that targeted multiple employees.
- A second breach occurred after a former contractor used login information to access Chegg Amazon S3 buckets, which contained data belonging to millions of users. Later, the data was found for sale on the dark web, along with roughly 25 million passwords shown in plaintext. The company was then forced to reset passwords for 40 million individuals.
- Roughly a year later, a Chegg executive’s credentials were obtained during a phishing attack. Afterwards, the cyber criminal managed to access the executive’s inbox and personal info belonging to employees and customers.
- Twelve months later, another Chegg employee fell victim to a phishing attack. Subsequently, the cyber attackers accessed the company’s payroll system, stealing hundreds of employees’ W-2 information (e.g., birth data, social security numbers).
Chegg did not develop a written security policy until January of 2021.
FTC requirements
An order from the FTC will require Chegg to implement better data security, leverage multi-factor authentication, limit collected and stored customer data and permit customers to obtain and delete their data.
- Detail and limit data collection. The company will be required to document and follow a schedule that spells out what information the company collects, why it collects the information and when the information will be deleted.
- Provide consumer access to data: Chegg will need to provide customers with access to the data collected about them. Customers will be able to request the permanent deletion of the data.
- Implement multi-factor authentication: Chegg will need to provide multi-factor authentication or an equivalent authentication method for employees and consumers in order to protect their accounts.
- Implement security programs: Chegg will be required to devise a comprehensive information security program that addresses existing flaws in the company’s data security methods. Chegg must offer encryption of consumer data and security awareness training for employees.
“[The]…order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collected on the front end,” explained the FTC.
Chegg’s response
A Chegg representative noted that “Data privacy is a top priority for Chegg. Chegg worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the Commission’s Administrative Order…”
“Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.”
Get the full story from the Federal Trade Commission. Lastly, discover new trends, expert interviews, and so much more – subscribe to the CyberTalk.org newsletter.