A streak of data breaches at Chegg that occurred between 2017 and 2020 has been identified as a period of gross cybersecurity negligence by the Federal Trade Commission (FTC), and the agency has now ordered the edtech giant to clean up its act.
The company is not being fined, but could face fines if it does not follow plans to bolster its cybersecurity and improve its customer data handling practices. One of the country’s largest edtech outfits, Chegg ran into trouble by storing sensitive data on very poorly protected cloud servers and failing to train employees in basic security hygiene (among other issues).
Repeated data breaches triggered investigation, legal action
The four data breaches that prompted FTC involvement collectively involved the loss of tens of millions of both customer and employee records, and were very preventable had the edtech giant been following basic cybersecurity best practices.
The settlement terms protect Chegg’s pocketbook for the moment, at least so long as it follows required stipulations, but require it to improve its handling of personal data, notifications to data subjects and ability to access and remove that data upon request. The company must also implement two-factor login options for both its employees and customers. The company could face fines in the future if it is found to not be adhering to this agreement.
Chegg has been in business for over a decade and has grown to become one of the largest multipurpose edtech outfits, with a particular spurt of growth in recent years as schools closed and students began taking classes from home. Most of its legal trouble came in the years just before the pandemic, however, when it was found to be giving vendors wide-ranging access to sensitive customer and employee data stored in plaintext on cloud servers.
Edtech firm shared too much with vendors
To give an idea of what kind of data Chegg was storing, the company’s primary lines of business are in renting out textbooks and in scholarship search assistance. That means students trust the edtech firm with not just financial information, but a wide range of sensitive personal and demographic information (including Social Security numbers in some cases).
Unfortunately, all of this was stored in plaintext on Amazon AWS S3 cloud servers for years. Even worse, all of the company’s third party contractors were given a single shared access key that furnished them with access to all of it. And not only was none of this data encrypted, but passwords were also secured with the badly dated MD5 function that is now considered trivial to crack.
Data breaches were inevitable given this state of affairs, and there was a massive one in 2018 in which a former employee of one of these contractors let themselves back in and raided about 40 million records. And despite being notified that the stolen MD5 passwords had been cracked and made available along with the stolen records on the dark web, Chegg continued to store information in plaintext on cloud servers.
Chegg was also successfully phished in three different incidents in 2017, 2019 and 2020. In one of these data breaches, the payroll department was compromised and hundreds of records of employee tax and direct deposit information were taken. The FTC found that the company did not have employee phishing training in place until 2020, even after it had been breached multiple times. It also failed to inventory and delete old personal data that should have been removed, and did not provide multi-factor login options.