FTC Orders Chegg to Improve Security Following Multiple Data Breaches

The Federal Trade Commission (FTC) this week announced that it has reached an agreement with education technology provider Chegg over the company’s cybersecurity failures leading to several data breaches.

The Santa Clara, California-based company provides student services such as online tutoring and digital and physical textbook rentals to high school and college students.

The security mishaps, the FTC says, have exposed the personal information of tens of millions of customers and employees to cyberattacks, including their Social Security numbers, email addresses, and login information.

Since 2017, Chegg allegedly experienced four security breaches, but the company failed to implement the necessary protections.

The FTC is now requiring the company to improve its security stance, to collect less personal data than before, to allow users to access and erase their data, and to implement multi-factor authentication (MFA).

In its complaint, the FTC alleges that Chegg failed to keep the personal information of both customers and employees safe, including sensitive information such as financial data, medical information, birth dates, sexual orientation, disabilities, and more.

In September 2017, a Chegg employee fell for a phishing attack, leading to the exposure of employees’ direct deposit information.

Less than a year later, a third-party cloud database containing the personal information of roughly 40 million Chegg customers was accessed by a former contractor, using login credentials the company had shared both within and outside the organization.

The incident resulted in the compromise of names, email addresses, birth dates, passwords, and sensitive scholarship information (parents’ income range, disabilities, and sexual orientation). Some of the data was later found for sale online.

By 2020, Chegg experienced two additional data breaches as result of phishing attacks, which led to the compromise of sensitive employee data, including medical and financial information.

The FTC alleges that Chegg failed to implement basic security measures to protect the collected and stored information, stored data insecurely, and failed to implement adequate security policies and security training for employees and contractors.

The FTC is requiring Chegg to detail and limit its data collection practices, to provide consumers with access to their data, including allowing them to request the deletion of the data, to implement MFA or a similar authentication method, and to implement a comprehensive information security program to deal with the lax security practices.

Replying to a SecurityWeek inquiry, a Chegg spokesperson provided the following statement:

_{“Data privacy is a top priority for Chegg. Chegg worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the Commission’s Administrative Order. The incidents in the Federal Trade Commission’s complaint related to issues that occurred more than two years ago. No monetary fines were assessed. We believe our positive negotiations with the FTC are indicative of our current robust security practices, as well as our efforts to continuously improve our security program. Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.”}

*updated with statement from Chegg

Related: Chegg Informs Employees of Data Breach

Related: FTC Targets Drizly and Its CEO Over Cybersecurity Failures That Led to Data Breach

Related: FTC Looking at Rules to Corral Tech Firms’ Data Collection