The FTC Sues Chegg for Exposing Millions of Users’ Social Security Numbers and Other Key Data

IBL News | New York

The Federal Trade Commission (FTC) sued last week edtech provider Chegg, Inc (NYSE: CHGG) for “its lax security practices that exposed sensitive information about millions of its customers and employees, including Social Security numbers, email addresses, and passwords.”

“These practices resulted in four separate data breaches in a span of just a few years, leading to the misappropriation of personal information about approximately 40 million consumers,” states the complaint.

A key component of Chegg’s information technology infrastructure was Simple Storage Service (S3), a cloud storage service offered by Amazon Web Services (AWS) that Chegg used to store a substantial amount of customer and employee data. The FTC alleges that:

  • Chegg allowed employees and third-party contractors to access the S3 databases with a single access key that provided full administrative privileges over all information.
  • Chegg didn’t require multi-factor authentication for account access to the S3 databases.
  • Rather than encrypting the data, Chegg stored users’ and employees’ personal information in plain text.
  • Until at least April 2018, Chegg “protected” passwords with outdated cryptographic hash functions.
  • Until at least April 2020, Chegg failed to provide adequate data security training for employees and contractors.
  • Chegg didn’t have processes in place for inventorying and deleting customers’ and employees’ personal information once there was no longer a business need to maintain it.
  • Chegg failed to monitor its networks adequately for unauthorized attempts to sneak in and illegally transfer sensitive data out of its system.

In each of the four incidents cited in the complaint, the FTC alleges that Chegg failed to take simple precautionary steps that would have likely helped prevent or detect the threat to consumer and employee data – for example, requiring employees to take data security training on the telltale signs of a phishing attempt.

The FTC suggests conducting regular in-house security training and provides Cybersecurity for Small Business resources for inspiration.

Chegg’s Third Quarter 2022 Earnings

On the other hand, Chegg announced this week its third-quarter earnings, showing a decrease of 4% year-over-year in net revenues, to $164.7 million, a decrease of 4% year-over-year.