Connect with us

Hi, what are you looking for?



FTC Orders Chegg to Improve Security Following Multiple Data Breaches

The Federal Trade Commission (FTC) this week announced that it has reached an agreement with education technology provider Chegg over the company’s cybersecurity failures leading to several data breaches.

The Federal Trade Commission (FTC) this week announced that it has reached an agreement with education technology provider Chegg over the company’s cybersecurity failures leading to several data breaches.

The Santa Clara, California-based company provides student services such as online tutoring and digital and physical textbook rentals to high school and college students.

The security mishaps, the FTC says, have exposed the personal information of tens of millions of customers and employees to cyberattacks, including their Social Security numbers, email addresses, and login information.

Since 2017, Chegg allegedly experienced four security breaches, but the company failed to implement the necessary protections.

The FTC is now requiring the company to improve its security stance, to collect less personal data than before, to allow users to access and erase their data, and to implement multi-factor authentication (MFA).

In its complaint, the FTC alleges that Chegg failed to keep the personal information of both customers and employees safe, including sensitive information such as financial data, medical information, birth dates, sexual orientation, disabilities, and more.

In September 2017, a Chegg employee fell for a phishing attack, leading to the exposure of employees’ direct deposit information.

Advertisement. Scroll to continue reading.

Less than a year later, a third-party cloud database containing the personal information of roughly 40 million Chegg customers was accessed by a former contractor, using login credentials the company had shared both within and outside the organization.

The incident resulted in the compromise of names, email addresses, birth dates, passwords, and sensitive scholarship information (parents’ income range, disabilities, and sexual orientation). Some of the data was later found for sale online.

By 2020, Chegg experienced two additional data breaches as result of phishing attacks, which led to the compromise of sensitive employee data, including medical and financial information.

The FTC alleges that Chegg failed to implement basic security measures to protect the collected and stored information, stored data insecurely, and failed to implement adequate security policies and security training for employees and contractors.

The FTC is requiring Chegg to detail and limit its data collection practices, to provide consumers with access to their data, including allowing them to request the deletion of the data, to implement MFA or a similar authentication method, and to implement a comprehensive information security program to deal with the lax security practices.

Replying to a SecurityWeek inquiry, a Chegg spokesperson provided the following statement:

“Data privacy is a top priority for Chegg. Chegg worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the Commission’s Administrative Order. The incidents in the Federal Trade Commission’s complaint related to issues that occurred more than two years ago. No monetary fines were assessed. We believe our positive negotiations with the FTC are indicative of our current robust security practices, as well as our efforts to continuously improve our security program. Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.”

*updated with statement from Chegg

Related: Chegg Informs Employees of Data Breach

Related: FTC Targets Drizly and Its CEO Over Cybersecurity Failures That Led to Data Breach

Related: FTC Looking at Rules to Corral Tech Firms’ Data Collection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...