The Federal Trade Commission ordered education technology provider Chegg to address faults and weaknesses in its cybersecurity programme that led to the exposure of 40 million users' personal and financial information in four data breaches since 2017.
Chegg agreed to the order by promising to "enhance its data security, limit the data it can collect and retain, enable users multifactor authentication to secure their accounts, and permit users to access and erase their data," the FTC stated in a press release on Monday.
According to the FTC's order, Chegg neither accepted nor denied any of the charges in the complaint, except where expressly mentioned in the judgement.
The judgement and order against Chegg did not include a monetary penalty, but it did require the company to notify customers and implement a number of cybersecurity enhancements.
According to the FTC, three of the breaches happened when phishing attacks successfully targeted Chegg workers, while a fourth breach occurred when a former contractor accessed Chegg's third-party cloud databases using a login shared with Chegg employees and outside contractors.
Chegg, a publicly traded firm headquartered in Santa Clara, California, offers educational services to high school and college students, including online tutoring and a scholarship search engine.
According to the FTC complaint, four data breaches exposed the personal and financial information of 40 million customers, including "names, email addresses, passwords, and for certain users, sensitive scholarship data such as birth dates, parents' income range, sexual orientation, and disabilities." According to the FTC, several attacks exposed medical and financial information pertaining to Chegg employees.
The complaint says that Chegg violated FTC Act provisions when it "failed to provide reasonable security to prevent unauthorised access to users' personal information" and when it claimed on its website that it implemented "commercially reasonable security measures" to safeguard the data it acquired. The FTC determined that the corporation did not take such precautions, making the privacy assurances deceptive.
According to the complaint, Chegg failed to implement basic security measures when it did not require multi-factor authentication for employees and contractors to log into the company's third party databases; when it permitted employees and contractors to log into those databases with a single login; and when it did not monitor its network and databases for threats. In addition, personal information was maintained in plain text, and until 2018 the corporation employed obsolete and insecure encryption for user passwords. Even after multiple data breaches, Chegg did not implement proper security procedures and training until January 2021, according to the FTC.
The corporation must notify all customers and workers whose personal information was compromised, as well as provide a link on its website where customers can access and request deletion of their personal information. Chegg must provide multifactor authentication to all of its clients within six months of the order.
In reports to the FTC, Chegg must explain what personal information it collects, why it gathers it, and when it will destroy it. Additionally, Chegg must develop a security programme that encrypts all personal data and gives staff with annual security training.
Chegg must submit an annual compliance report to the FTC regarding the progress of its cybersecurity programme upgrades for the next 12 years. The duration of the order itself is twenty years.
Chegg response: In an emailed statement, a Chegg spokesperson said the company “worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome, and will comply fully with the mandates outlined in the commission’s administrative order.”
“Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts,” the spokesperson said.
By fLEXI tEAM