You may trust Chegg with your textbooks or tutoring, but regulators aren’t quite so confident. The Federal Trade Commission has filed a complaint accusing education tech provider Chegg of “careless” security practices that compromised personal data since 2017. Among the violations, the company reportedly exposed sensitive info for roughly 40 million customers in 2018 after a former contractor used their login to access a third-party database. The content included names, email addresses, passwords and even content like religion, sexual orientation and parents’ income ranges. The info eventually turned up for sale through the online black market.
Some of the stolen info belonged to employees. Chegg exposed Social Security numbers, medical data and other worker details.
The FTC further alleges Chegg failed to use “commercially reasonable” safeguards. It reportedly let employees and contractors use a single sign-in, didn’t require multi-factor authentication and didn’t scan for threats. The firm stored personal data in plain text and relied on “outdated and weak” encryption for passwords, the Commission adds. Officials also say Chegg didn’t even have a written security policy until January 2021, and didn’t provide sufficient security training despite three phishing attacks.
Chegg has agreed to honor a proposed order to make amends, the FTC says. The company will have to both define the information it collects and limit the scope of that collection. It will institute multi-factor authentication and a “comprehensive” security program that includes encryption and security training. Customers will have access to their data, and will be allowed to ask Chegg to delete that data.
We’ve asked Chegg for comment. However, it’s not alone in facing government crackdowns over security problems. Uber settled with the Justice Department in July for failing to notify customers of a major 2016 data breach, while the FTC recently penalized Drizly and its CEO for alleged lapses that led to a 2020 incident. The government is clearly eager to prevent data breaches and make an example of companies with sub-par security measures.
Post a Comment