You may trust Chegg with your textbooks or tutoring, but regulators aren't quite so confident. The Federal Trade Commission has filed a complaint accusing education tech provider Chegg of "careless" security practices that compromised personal data since 2017. Among the violations, the company reportedly exposed sensitive info for roughly 40 million customers in 2018 after a former contractor used their login to access a third-party database. The content included names, email addresses, passwords and even content like religion, sexual orientation and parents' income ranges. The info eventually turned up for sale through the online black market.
Some of the stolen info belonged to employees. Chegg exposed Social Security numbers, medical data and other worker details.
The FTC further alleges Chegg failed to use "commercially reasonable" safeguards. It reportedly let employees and contractors use a single sign-in, didn't require multi-factor authentication and didn't scan for threats. The firm stored personal data in plain text and relied on "outdated and weak" encryption for passwords, the Commission adds. Officials also say Chegg didn't even have a written security policy until January 2021, and didn't provide sufficient security training despite three phishing attacks.
Chegg has agreed to honor a proposed order to make amends, the FTC says. The company will have to both define the information it collects and limit the scope of that collection. It will institute multi-factor authentication and a "comprehensive" security program that includes encryption and security training. Customers will have access to their data, and will be allowed to ask Chegg to delete that data.
The provider isn't alone in facing government crackdowns over security problems. Uber settled with the Justice Department in July for failing to notify customers of a major 2016 data breach, while the FTC recently penalized Drizly and its CEO for alleged lapses that led to a 2020 incident. The government is clearly eager to prevent data breaches and make an example of companies with sub-par security measures.
In a statement to Engadget, Chegg says it treats data privacy as a "top priority." The company cooperated with the FTC and will "comply fully" with the Commission's order. It adds that it didn't face any fines, and believes this is a reflection of its improved security stance. You can read the full response below.
"Data privacy is a top priority for Chegg. Chegg worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the Commission’s Administrative Order. The incidents in the Federal Trade Commission’s complaint related to issues that occurred more than two years ago. No monetary fines were assessed, which we believe is indicative of our current robust security practices, as well as our efforts to continuously improve our security program. Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts."