FTC cracks down on homework app provider Chegg for 4 past data breaches

The US Federal Trade Commission is forcing homework app provider Chegg to revamp its cybersecurity practices for failing to prevent four past data breaches.

The FTC accused(Opens in a new window) Chegg of taking “shortcuts with millions of sensitive student information,” citing the California-based company’s “negligent” stance on security.

“Today’s order requires the company to strengthen security measures, provide consumers with an easy way to delete their data, and limit upstream information collection,” said Samuel Levine, director of the office. of the FTC’s Consumer Protection.

According to the FTC, the company suffered three data breaches following successful phishing attacks against Chegg employees in 2017, 2019 and 2020. “These attacks exposed sensitive data about Chegg employees, including information medical and financial,” the regulator said.

Additionally, Chegg has failed to bolster corporate security by implementing multi-factor authentication for internal logins or requiring employees to complete training on identifying phishing threats, the FTC adds.

In 2018, the education provider also suffered a breach involving a former contractor who stole the data of 40 million users by exploiting the fact that a root login for an enterprise AWS cloud server had been widely shared. with employees and contractors. The stolen data included Chegg usernames, email addresses, dates of birth, parents’ income bracket, sexual orientation and disabilities, and was later found available on an online forum.

According to the FTC, Chegg failed to secure its users’ sensitive data even after the incident. “For example, Chegg continues to store consumer personal information in plain text in its AWS S3 buckets,” the regulator alleges.

Recommended by our editors

In response, the FTC order requires the education provider to strengthen its approach to cybersecurity. This includes providing multi-factor authentication action for users and employees, implementing systems to monitor IT access on the corporate network, and requiring employees to undergo regular training. to safety.

In a statement, Chegg said it worked with the FTC on the consent order. “The incidents in the Federal Trade Commission complaint related to issues that occurred more than two years ago. No monetary fines have been imposed,” the company said. “We believe our positive negotiations with the FTC are indicative of our current strong security practices, as well as our efforts to continually improve our security program. Chegg is fully committed to protecting user data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.

The FTC’s order means Chegg avoids a large fine. However, the commission warns that it could impose civil penalties of up to $46,517 for each violation if Chegg is found violating FTC regulations in the future. Last week, the commission also issued a similar order for alcohol supplier Drizly for failing to prevent a data breach in 2020.

SecurityWatch<\/strong> newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs”>

Do you like what you read ?

Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. Signing up for a newsletter indicates your consent to our Terms of Service and Privacy Policy. You can unsubscribe from newsletters at any time.

Leave a Reply

Your email address will not be published. Required fields are marked *