The U.S. Federal Trade Commission (FTC) has sued education technology company Chegg for exposing sensitive information of students and employees four times since 2017.
The FTC wants Chegg to improve data security by encrypting sensitive information, requiring multi-factor authentication for users and employees, limiting the amount of personal information collected and retained, allowing customers to access and delete their data, and training employees in security practices.
In addition, the FTC found that Chegg failed to notify all 40 million users and employees whose personal information was compromised during the four breaches, and has instructed the company to notify anyone whose information was compromised within the next 60 days.
If Chegg, an educational technology company, were classified in terms of security, it would almost certainly receive an F for having been hacked four times in the past five years. The first of which occurred in September 2017, when several employees were targeted in a phishing attack.
The second incident occurred in April 2018, when a former contractor used login information to gain access to Chegg Amazon S3 buckets containing millions of user data, forcing the company to reset the passwords of 40 million users after the data was put up for sale online, along with about 25 million plaintext passwords.
The third attack was when a Chegg executive’s credentials stolen in a phishing attack a year later. The threat actor gained access to the executive email inbox as well as personal information (including financial and medical information) of users and employees, leading to the third attack.
The fourth incident occurred a year later, when another Chegg employee fell victim to phishing, giving the attackers access to the payroll system and stealing the personal information of hundreds of employees.
The sources for this piece include an article in BleepingComputer.