You may trust Chegg for textbooks or tutoring, but regulators aren’t so sure. Since 2017, the Federal Trade Commission has accused education technology vendor Chegg of “careless” security procedures that have endangered personal data. Among the transgressions, the business is said to have exposed sensitive information for about 40 million users in 2018 when a former contractor used their login to access a third-party database. Names, email addresses, passwords, and even religious, sexual orientation, and parental income ranges were included in the article. The information was finally made available for purchase on the online black market.
Some of the information taken belonged to staff. Chegg revealed Social Security numbers, medical information, and other employee information.
The FTC also claims Chegg failed to implement “commercially reasonable” measures. It allegedly allowed workers and contractors to log in with a single sign-on, did not require multi-factor authentication, and did not screen for threats. According to the Commission, the corporation maintained personal data in plain text and relied on “outdated and poor” encryption for passwords. Officials further claim that Chegg did not have a formal security policy until January 2021, and that despite three phishing assaults, it did not give enough security training.
According to the FTC, Chegg has agreed to comply with a proposed order to make reparations. The organization will need to both identify and limit the extent of the information it gathers. It plans to implement multi-factor authentication as well as a “comprehensive” security programme that will involve encryption and security training. Customers will have access to their data and will be able to request that Chegg erase it.
The service provider is not alone in experiencing government crackdowns on security issues. Uber reached a settlement with the Justice Department in July for failing to tell consumers of a large data breach in 2016, while the FTC recently sanctioned Drizly and its CEO for alleged breaches that led to a 2020 incident. The government is clearly eager to avoid data breaches and hold corporations with inadequate security measures accountable.
Chegg states in a statement that data protection is a “high focus.” The corporation cooperated with the FTC and stated that it will “completely comply” with the Commission’s mandate. It also states that it was not fined and believes this is due to its better security posture.