FTC Brings Case Against Ed Tech Provider Chegg Over Reckless Security That Exposed Millions Of Customers’ Personal Information | So Good News

The Federal Trade Commission is taking action against education technology provider Chegg Inc. for its reckless practices that exposed the personal information of millions of its customers and employees, including Social Security numbers, email addresses and passwords. Chegg says it has failed to address its data security problems despite facing four security breaches since 2017. The FTC order requires the company to strengthen data security, limit the data the company can collect and store, provide users with multifactor authentication to protect their accounts, and allow users to access and delete their data.

“Chegg bypassed shortcuts with a lot of student information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s rule requires companies to strengthen security, provide consumers with an easy way to remove their personal information, and limit data collection going forward. The Commission will continue to take aggressive steps to protect personal information.”

The California-based company sells educational products and services aimed at high school and college students, including online tutoring and college course research services. Chegg collects personal information about users. For example, as part of its educational research work, Chegg has collected information about users’ religions, heritage, birthdays, preferences, and disabilities. It has also collected and stored private information about its employees, including dates of birth, Social Security numbers, financial and medical records.

In the complaint, the FTC alleged that Chegg failed to protect the information it collected from its users and employees. As a result, the company suffered four breaches that exposed personal information. The first occurred in September 2017, when several Chegg employees fell victim to a scam that allowed a hacker to access employee deposit information. Less than a year later, a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party databases containing information on about 40 million customers. The disclosed information included names, email addresses, passwords, and for some users, basic educational information such as dates of birth, parental income, sexual orientation, and disability. Over the next two years, Chegg experienced two more mishaps related to phishing attacks that targeted Chegg employees. This revealed information about Chegg’s employees including medical and financial information.

The FTC’s complaint alleges that the data breach stemmed from Chegg’s poor data security practices, which included:

• Failure to implement protective measures: The FTC said that despite its promises, Chegg failed to use “safe business practices” to protect the personal information it collected and stored. For example, at various times during the relevant period, it did not require employees to use multifactor authentication methods to access its third-party databases, allowed employees and contractors to use a single login to access the databases, and failed to monitor the network and database threats.
• To keep information secure: Chegg stored personal information in its cloud storage in clear text and used until 2018 old and weak encryption to protect passwords.
• Failure to Develop Adequate Safety and Training Policies: Despite being exposed to three threats, the company failed to provide adequate training to employees and contractors and implement a written security policy until January 2021.

As a result of these failures, some of Chegg’s 40 million customer details stolen by its former contractor ended up being sold online. Chegg’s failure to protect its employees’ medical and financial data was especially problematic since this information is so valuable in the open market and is used to commit theft and fraud, according to the complaint.

As part of the proposed settlement, Chegg will be required to take steps to address the issues outlined in the FTC’s complaint including:

• Details and Limitations of Data Collection:Chegg must write and follow a policy that explains what the company collects, why it collects that information, and when it will delete it.
• Provide Consumer Access to Data: Chegg must provide its customers with access to the information collected about them and allow them to request that the company delete that data.
• Enable Multifactor Authentication:Chegg must provide multi-factor authentication or another form of authentication to its customers and employees to help protect their accounts.
• Follow the Safety Program: Chegg must implement a comprehensive data protection program that monitors the company’s data security practices including hiding consumer data and providing security training to its employees.

The action against Chegg is part of the FTC’s efforts to ensure that education technology companies protect and secure the information they collect and do not collect more information than is necessary. In May 2022, the agency issued a statement warning educational technologies against unlawfully collecting information from children under the age of 13 in violation of the Children’s Online Privacy Protection Act, which also requires companies to protect the information they collect. The agency is also taking steps to improve security around the world, including introducing advance notices on how to regulate business practices and data protection mitigation measures. And the FTC continues to hold companies accountable for failing to protect consumer data. Earlier this month, the FTC announced a settlement with online beer delivery marketplace Drizly and its CEO for its careless data security practices.

The commission voted 4-0 to grant the regulatory complaint and approve the settlement with Chegg.

The FTC will publish a description of the license agreement package in the Federal Register shortly. The agreement must be made available to the public for 30 days after it is published in the Federal Register after which the Commission will decide whether the approval is final. Instructions for writing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The agency files administrative complaints if it has “reason to believe” that the law has been or is being violated, and it appears to the agency that the action is in the public interest. Once the agency issues a final approval, it becomes legally enforceable for future actions. Each violation of this law can result in civil penalties of up to $46,517.