The Federal Trade Commission (FTC) this week announced that it has reached an agreement with education technology provider Chegg over the company’s cybersecurity failures leading to several data breaches.
The Santa Clara, California-based company provides student services such as online tutoring and digital and physical textbook rentals to high school and college students.
The security mishaps, the FTC says, have exposed the personal information of tens of millions of customers and employees to cyberattacks, including their Social Security numbers, email addresses, and login information.
Since 2017, Chegg allegedly experienced four security breaches, but the company failed to implement the necessary protections.
The FTC is now requiring the company to improve its security stance, to collect less personal data than before, to allow users to access and erase their data, and to implement multi-factor authentication (MFA).
In its complaint, the FTC alleges that Chegg failed to keep the personal information of both customers and employees safe, including sensitive information such as financial data, medical information, birth dates, sexual orientation, disabilities, and more.
In September 2017, a Chegg employee fell for a phishing attack, leading to the exposure of employees’ direct deposit information.
Less than a year later, a third-party cloud database containing the personal information of roughly 40 million Chegg customers was accessed by a former contractor, using login credentials the company had shared both within and outside the organization.
The incident resulted in the compromise of names, email addresses, birth dates, passwords, and sensitive scholarship information (parents’ income range, disabilities, and sexual orientation). Some of the data was later found for sale online.
By 2020, Chegg experienced two additional data breaches as result of phishing attacks, which led to the compromise of sensitive employee data, including medical and financial information.
The FTC alleges that Chegg failed to implement basic security measures to protect the collected and stored information, stored data insecurely, and failed to implement adequate security policies and security training for employees and contractors.
The FTC is requiring Chegg to detail and limit its data collection practices, to provide consumers with access to their data, including allowing them to request the deletion of the data, to implement MFA or a similar authentication method, and to implement a comprehensive information security program to deal with the lax security practices.
SecurityWeek has emailed Chegg for a comment on the settlement and will update the article as soon as a reply arrives.