On Monday, the Federal Trade Commission (FTC) announced an enforcement action against and resolution with Santa Clara, Calif.-based Chegg Inc., which markets and sells direct-to-student educational products and services. The agency claimed violations of the FTC Act in connection with four data breaches that occurred between September 2017 and April 2020.
The FTC’s administrative complaint explains that among other things, Chegg offers online learning aids, such as tutoring, writing assistance, a math-problem solver, and answers to common textbook questions. Its target audience is primarily high school and college students.
To provide services, Chegg collects sensitive personal information. For example, the FTC points to the company’s scholarship search service, for which Chegg collected information about religious affiliation, heritage, date of birth, parents’ income range, sexual orientation, and disabilities. This data as well as other personally identifying information belonging to users and employees was leaked in a series of breaches, including two phishing attacks, and the infiltration by a former contractor of Chegg’s Amazon Web Services database.
According to the complaint, Chegg failed to implement “basic security measures” for information it collected and stored. The FTC illustrates by pointing to the company’s failure to require employees and contractors to use multifactor authentication to login to databases and failure to monitor networks and databases for threats.
Additionally, Chegg did not properly encrypt personal data and passwords, storing the former in plain text until at least 2018. Lastly, the FTC says the company fell short of maintaining adequate security policies and corresponding training until January 2021. The result, the FTC said, was that the data of 40 million Chegg customers stolen by its former contractor was found for sale online.
As part of its resolution of the FTC’s allegations, Chegg has agreed to limit data collection, use stronger protections, and implement a training and compliance program. The consent decree does not require Chegg to pay any penalties, but does require it to notify customers of steps they can take to protect themselves from identity theft, including accessing yearly free credit reports.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection commented in a statement. “Chegg took shortcuts with millions of students’ sensitive information. Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”