FTC takes “aggressive” action after data breaches at online education services provider

Four breaches since 2017 at Chegg alleged to have compromised data of 40 million users.

The Federal Trade Commission (FTC) has filed a complaint against leading educational technology provider Chegg after accusing it of taking “shortcuts with millions of students’ sensitive information” after four data breaches since 2017 compromised the data of up to 40 million customers.

Samuel Levine, the FTC’s Bureau of Consumer Protection Director, said the FTC order “requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end”. And he promised: “The Commission will continue to act aggressively to protect personal data.”

Four data breaches

California-based Chegg sells educational products and services to high school and college students, including online tutoring. It holds information including users’ Social Security numbers, financial and medical data, religion, disabilities and sexual orientation. Since 2017 the company has suffered four data breaches that exposed that information due to poor security practices that it has failed to fix.

Poor practices alleged by the FTC to have taken place include:

  • failure to implement basic security measures – for example not requiring the use of multifactor authentication and allowing employees to use single log-ins to access third-party databases;
  • insecurely storing information – for example storing personal data in the cloud in plain text; and
  • failure to develop adequate security polices – Chegg did not implement a written security policy until January 2021.

The FTC said Chegg’s failures also exposed the medical and financial data of its employees.

Further action

The decision and order issued by the FTC means Chegg must take a number of steps to avoid further action. These include;

  • documenting what information it collects, why, and when it will be deleted;
  • giving customers access to data held on them;
  • providing multifactor authentication to customers and employees; and
  • implementing a comprehensive security programme to address the flaws identified.

Chegg issued a statement saying: “Data privacy is a top priority for Chegg. Chegg worked cooperatively with the FTC on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the Commission’s Administrative Order. The incidents in the Federal Trade Commission’s complaint related to issues that occurred more than two years ago. No monetary fines were assessed. We believe our positive negotiations with the FTC are indicative of our current robust security practices, as well as our efforts to continuously improve our security program.”

• Our security experts Robert Hawk and Laurence Lafond explain Why you should take multifactor identification seriously