The Federal Trade Commission has accused U.S. education technology giant Chegg of “careless” cybersecurity practices that led to the exposure of sensitive information about tens of millions of its customers and employees.
In a legal complaint filed on Monday, the FTC accuses Chegg — which provides digital and physical textbook rentals and online tutoring — of numerous cybersecurity lapses that resulted in four separate data breaches between 2017 and 2020.
In 2018, for example, hackers made off with 40 million Chegg customer records after a former contractor accessed a database that contained customer names, email addresses, passwords and other sensitive information, including religion, sexual orientation, disabilities and parents’ income ranges. According to the FTC’s complaint, Chegg allowed employees and third-party contractors to access Amazon-hosted storage with a single access key that provided full administrative privileges over all information.
Chegg also experienced three more data breaches involving phishing attacks that successfully targeted Chegg employees. These attacks exposed yet more sensitive data about Chegg’s customers and employees, including financial and medical information, and Social Security numbers.
The FTC complaint alleges that these four breaches were the result of poor data security practices, including the use of a single login for all compromised databases, a lack of multi-factor authentication, the storing of all users’ and employee’s data in plaintext and a failure to monitor networks for malicious activity.
Officials also say Chegg didn’t have a written security policy until January 2021 and failed to provide sufficient security training despite three phishing attacks.
The FTC said Chegg had agreed to adopt a comprehensive data security program to settle the charges, which will involve providing security training to employees and encrypting user data. Chegg must also allow customers access to the personal information it has collected about them — including any precise location data or persistent identifiers like IP addresses — and allow users to delete their records.
“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”
When reached for comment, Chegg vice president of communications and policy Marc Boxser told TechCrunch that Chegg “will comply fully with the mandates” set out by the FTC’s order.
The FTC’s action against Chegg amounts to a wider warning to the U.S. edtech industry. Back in May, the agency issued a policy statement saying that it planned to crack down on edtech companies that collected excessive personal details from schoolchildren or failed to secure students’ personal information.
“Going forward, the Commission will closely scrutinize the providers of these services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy,” the FTC said.
Updated with comment from Chegg.