The Federal Trade Commission has announced that it is acting against Chegg, an education technology company, for its careless security practices that led to a data breach exposing the personal information of millions of customers. Chegg will be required to harden its security against data breaches and delete all unnecessary data.
The FTC’s proposed order will also provide users with multi-factor authentication to secure their accounts and allow users access to their data with the option of deleting it. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection said “Chegg took shortcuts with millions of students’ sensitive information… The commission will continue to act aggressively to protect personal data.”
Since 2017, Chegg has been breached several times. The first of which stemmed from a phishing attack that allowed access to employees’ direct deposit information. Less than a year later, Chegg learned that hackers had gained access to a database that contained the personal information of millions of customers, including names, email addresses, mailing addresses, dates of birth, and Social Security numbers. The company did not discover the breach until November 2018—seven months later—and did not notify affected customers until December 2018. In total, the hackers had access to Chegg’s systems for nine months.
Because of Chegg’s failure to follow basic security measures, about 40 million customers’ data was being sold online. After investigating the breaches, the FTC decided that Chegg’s poor data security practices began with:
- Failing to implement basic security measures
- Storing information insecurely
- Failing to develop adequate security policies and training
The FTC’s proposed order against Chegg sends a strong message to companies that they must take steps to protect the personal data of their customers or face severe consequences. By requiring Chegg to improve its security practices, delete unnecessary customer data, and offer customers better control over their account information, the FTC is holding Chegg accountable for its careless handling of customer data. Other companies must take note of this case and ensure that they are taking steps to protect customer data or face similar consequences from the FTC.