40 million user data from Chegg’s ed tech in the wild

Chegg came to the attention of the Federal Trade Commission for serious security breaches. The company would not do even the bare minimum to protect their data.

Chegg is an American educational technology company with a strong US presence. The Federal Trade Commission (FTC) filed a lawsuit against the company, accusing it of neglecting its security, which since 2017 compromised a lot of personal data. Among the breaches, the company allegedly exposed the data of 40 million users in 2018, after a former contractor used his credentials to access a third-party database. Names, email addresses, passwords, as well as religion, sexual orientation or parental income would be sold on the black market.

Chegg came to the attention of the FTC for serious security violations

The FTC also accuses Chegg of failing to implement “commercially reasonable”security measures. This would allow employees and contractors to use the same account without requiring two-factor authentication or threat intelligence. The company shared personal data in the clear and used “weak and outdated”encryption for passwords. Chegg also wouldn’t have a decent security policy until January 2021, and he doesn’t get enough security training despite three phishing campaigns.

According to the FTC, Chegg promised to fix the situation. The Company must be specific about the information it collects and limit the collection as much as possible. It will also implement two-factor authentication as well as a “comprehensive”security program that includes encryption and security training. Customers will have access to their data and may ask Chegg to delete that data.

The company would not do even the bare minimum to protect their data.

Chegg isn’t the only company the FTC has sided with over security concerns. Last July, Uber reached a settlement with the Justice Department for failing to notify customers of a major security breach in 2016. Most recently, the Federal Trade Commission sanctioned Drizley and his CEO for mistakes that led to a large-scale incident in 2020. The US government wants to prevent such security breaches, or at least minimize the risk, and intends to punish companies that do not take security seriously.

In the press release, Chegg explains that data privacy is a “priority”. The company has cooperated with the FTC and will “fully comply”with the Commission’s requests. She adds that she has not received the slightest fine, which she says would be proof that she is working to improve her safety.

CDN CTB