The Federal Trade Commission (FTC) has taken legal action against EdTech player Chegg, alleging the firm has failed to protect its customers after suffering four data breaches since 2017.
The FTC’s proposed order alleged Chegg took “shortcuts” with the personal data of millions of its students and will mandate enhanced data security, limits to data collection, improved access controls and more autonomy for students to delete their own data.
The California-based company – which sells online tutoring and online scholarship search services, among other things – collects a large amount of personal and financial information on its customers. This includes their religious affiliation, date of birth, sexual orientation, disabilities, Social Security numbers and medical data, the FTC said.
The regulator alleged in its complaint that Chegg had failed to adequately protect this information, leading to three successful phishing attacks in the past five years.
However, perhaps the most damaging breach was when a former contractor used login information the company shared with employees and outside contractors to access a cloud database holding info on 40 million customers, the FTC said. Some of this information was subsequently sold online.
Specifically in the complaint, the FTC alleged that Chegg:
- Failed to use “commercially reasonable security measures” to protect the data, including failing to offer multi-factor authentication (MFA) to users, failing to monitor networks for suspicious activity, and allowing employees and contractors to use a single login to access sensitive information
- Stored sensitive information insecurely in the cloud in plain text and, until at least 2018, used “outdated and weak encryption” to protect user passwords
- Failed to provide adequate security training to employees and contractors or implement a written security policy until January 2021
According to the proposed order, Chegg will be required to offer MFA to customers and employees, justify and limit its data collection, and implement a comprehensive information security program including data encryption.
Chegg will also be required to provide customers with access to data collected about them and allow them to request that the company delete specific data.
“Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“The commission will continue to act aggressively to protect personal data.”
Chegg sent a statement on the FTC action to Infosecurity, arguing that it had "worked cooperatively" with the regulator and that no fines were ultimately levied.
“We believe our positive negotiations with the FTC are indicative of our current robust security practices, as well as our efforts to continuously improve our security program,” it continued.
“Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.”