The U.S. Federal Trade Commission (FTC) has sued education technology company Chegg after exposing the sensitive information of tens of millions of customers and employees in four data breaches suffered since 2017.
The agency’s proposed order would require Chegg to shore up data security, implement multifactor authentication (MFA) to help users secure their accounts, limit collected and stored customer data, and allow customers to access and delete their data.
“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, on Monday.
“Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”
Four breaches within three years
According to FTC’s complaint, Chegg was first breached in September 2017 following a phishing attack that targeted multiple employees.
In April 2018, a former contractor used login information to gain access to Chegg Amazon S3 buckets containing the data of millions of users. The data was later found for sale online, together with roughly 25 million passwords in plaintext, which forced the company to reset the passwords of 40 million users.
One year later, after a Chegg executive’s credentials were stolen in a phishing attack, a threat actor gained access to the executive email inbox and the personal info (including financial and medical information) of users and employees.
After another 12 months, another Chegg employee fell victim to phishing, allowing the attackers to access the payroll system and steal hundreds of employees’ W-2 information (e.g., birth date, Social Security numbers).
Poor data security practices
The FTC complaint alleges that these four data breaches were the result of several poor data security practices, including Chegg failure to implement basic security measures such as the lack of MFA support, the use of a single login for all compromised databases, and not monitoring for malicious activity).
Chegg is also accused of storing the employees’ and customers’ sensitive information insecurely and failing to provide its employees and contractors with phishing awareness training.
“As a result of these failures, some of the data about Chegg’s 40 million customers stolen by its former contractor was later found for sale online,” the FTC said.
“Chegg’s failure to protect its employees’ medical and financial data was particularly problematic since this information is valuable on the open market and is used to commit identity theft and fraud.”