The Federal Trade Commission this week sued educational technology vendor Chegg for exposing tens of millions of users’ personal information, arguing that the company “didn’t do its homework” after experiencing four major data breaches since 2017.
In its complaint, filed Monday, the FTC said roughly 40 million users had their personal identifying information exposed in the incidents, including students’ religious affiliations, ethnic backgrounds, dates of birth, sexual orientation, disabilities and parents’ income.
The cause of the breaches include multiple instances of employees — some of them quite high-ranking — falling for malicious links that gave threat actors access to closely held data, as well as weak company security policies. One breach in 2018 occurred when a former contractor was able to access Chegg’s Amazon Web Services cloud storage using an AWS root credential, which effectively makes the entirety of those databases visible.
One of the successful phishing incidents, in 2020, involved a “senior executive” whose opening of a malicious email allowed a network intruder to make off with consumers’ financial and medical information, as well as the W-2 information — including birthdays and Social Security numbers — of 700 current and former employees.
The FTC also said that Chegg did not require multi-factor authentication for access to its AWS storage, and often didn’t encrypt the data it had collected from students. The commission also faulted the company for not offering better anti-phishing training for employees and contractors, and for not monitoring its network for suspicious data transfers.
Chegg was founded in 2005 as a digital textbook rental service, and has since expanded to include a popular homework-assistance app used at colleges and high schools nationwide. In a proposed order, the company agreed to implement a new data-security policy and adopt multi-factor authentication for all employee and user accounts.