Chegg sued by FTC over lax data security

The U.S. Federal Trade Commission (FTC) has sued education technology company Chegg for exposing sensitive information of students and employees four times since 2017.

The FTC wants Chegg to improve data security by encrypting sensitive information, requiring multi-factor authentication for users and employees, limiting the amount of personal information collected and retained, allowing customers to access and delete their data, and training employees in security practices.

In addition, the FTC found that Chegg failed to notify all 40 million users and employees whose personal information was compromised during the four breaches, and has instructed the company to notify anyone whose information was compromised within the next 60 days.

If Chegg, an educational technology company, were classified in terms of security, it would almost certainly receive an F for having been hacked four times in the past five years. The first of which occurred in September 2017, when several employees were targeted in a phishing attack.

The second incident occurred in April 2018, when a former contractor used login information to gain access to Chegg Amazon S3 buckets containing millions of user data, forcing the company to reset the passwords of 40 million users after the data was put up for sale online, along with about 25 million plaintext passwords.

The third attack was when a Chegg executive’s credentials stolen in a phishing attack a year later. The threat actor gained access to the executive email inbox as well as personal information (including financial and medical information) of users and employees, leading to the third attack.

The fourth incident occurred a year later, when another Chegg employee fell victim to phishing, giving the attackers access to the payroll system and stealing the personal information of hundreds of employees.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web