FTC

The U.S. Federal Trade Commission (FTC) has sued education technology company Chegg after exposing the sensitive information of tens of millions of customers and employees in four data breaches suffered since 2017.

The agency’s proposed order would require Chegg to shore up data security, implement multifactor authentication (MFA) to help users secure their accounts, limit collected and stored customer data, and allow customers to access and delete their data.

“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, on Monday.

“Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”

Four breaches within three years

According to FTC’s complaint, Chegg was first breached in September 2017 following a phishing attack that targeted multiple employees.

In April 2018, a former contractor used login information to gain access to Chegg Amazon S3 buckets containing the data of millions of users. The data was later found for sale online, together with roughly 25 million passwords in plaintext, which forced the company to reset the passwords of 40 million users.

One year later, after a Chegg executive’s credentials were stolen in a phishing attack, a threat actor gained access to the executive email inbox and the personal info (including financial and medical information) of users and employees.

After another 12 months, another Chegg employee fell victim to phishing, allowing the attackers to access the payroll system and steal hundreds of employees’ W-2 information (e.g., birth date, Social Security numbers).

FTC Chegg tweet

​Poor data security practices

The FTC complaint alleges that these four data breaches were the result of several poor data security practices, including Chegg failure to implement basic security measures such as the lack of MFA support, the use of a single login for all compromised databases, and not monitoring for malicious activity).

Chegg is also accused of storing the employees’ and customers’ sensitive information insecurely and failing to provide its employees and contractors with phishing awareness training.

“As a result of these failures, some of the data about Chegg’s 40 million customers stolen by its former contractor was later found for sale online,” the FTC said.

“Chegg’s failure to protect its employees’ medical and financial data was particularly problematic since this information is valuable on the open market and is used to commit identity theft and fraud.”


Update October 31, 15:49 EDT: A Chegg spokesperson shared the following update after the article was published:

Data privacy is a top priority for Chegg. Chegg worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the Commission’s Administrative Order. The incidents in the Federal Trade Commission’s complaint related to issues that occurred more than two years ago. No monetary fines were assessed. We believe our positive negotiations with the FTC are indicative of our current robust security practices, as well as our efforts to continuously improve our security program. Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.

Source: www.bleepingcomputer.com