FTC slams Chegg for chronic, ‘careless security’

Dive Brief:

Chegg, an online tutoring and textbook rental company, is in the Federal Trade Commission’s crosshairs after long standing poor security practices exposed personal information on about 40 million customers and employees.
Chegg, which provides services to high school and college students, “failed to fix problems with its data security despite experiencing four security breaches” between 2017 and 2020, the FTC alleged in its complaint and proposed order against the company.
The FTC will require Chegg to clarify what data it collects, why it’s collecting that information and when it will be deleted. The company must also delete unnecessary data, allow customers to access data collected on them and make requests for Chegg to delete that data.

Dive Insight:

Chegg, which the FTC accused of “careless security,” is the second firm to be held accountable by the federal agency for cybersecurity shortcomings in the last week. The FTC imposed similar measures on Drizly last week over security practices that exposed the data of about 2.5 million customers.

The FTC called out four security breaches at Chegg that occurred in September 2017, April 2018, June 2019 and April 2020. Three of the breaches involved phishing attacks that successfully targeted employees.

During the April 2018 breach a former Chegg contractor used legitimate login credentials to access a third-party cloud database containing personal information on about 40 million customers, according to the FTC. Some of the data stolen by Chegg’s former contractor was later found for sale online.

Personal information exposed during the breach, Chegg's most widespread and damaging, included names, email addresses, passwords, and some users’ sensitive scholarship data such as dates of birth, parent’s income range, sexual orientation and disabilities, the FTC said.

Chegg, a California-based company that was founded in 2005 and went public in 2013, didn’t have a written security policy or provide adequate security training to employees and contractors until January 2021. The company stored personal data on cloud storage databases in plain text with weak encryption until at least 2018, the agency said.

The incidents referenced in the FTC’s complaint occurred more than two years ago and the company will fully comply with mandates in the proposed order, a Chegg spokesperson told Cybersecurity Dive.

“Chegg took shortcuts with millions of students’ sensitive information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “[Monday's] order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end.”

The agency requires Chegg to mandate an information security program to comply with those safeguards within 90 days and provide multifactor authentication to all users within six months. Chegg must also comply with a third-party security assessment and provide annual certification from a senior executive responsible for the company’s security program.

“We have been modifying and improving our security program for years. The majority of the requirements of the information security program are already a part of our operations, and we will be compliant with any remaining pieces by the time periods required in the order,” a Chegg spokesperson said via email.