Homework help doesn’t have to be expensive – especially when it comes to student safety. The Federal Trade Commission (FTC) agrees. After finding that Chegg, a provider of education technology, risked the safety of its employees and users, the Federal Trade Commission ordered the company to “enhance protections against data leaks and delete unnecessary data.”
FTC action against Chegg
Over the years, Chegg has offered a variety of educational tools for high school and college students. This includes a homework help app and a scholarship search service. While that sounds great at first, if it’s not about protecting students’ personal information, then the help really isn’t going to be…helpful.
Chegg collects a lot of personal information beyond your usual name, nickname, address, and phone number. It also collects information about religious affiliation, heritage, date of birth, sexual orientation and disability. Employee data collected includes date of birth, social security number, financial and medical information.
Despite the amount of personal information collected, the FTC is taking action against Chegg “for its lax data security practices that exposed sensitive information about millions of its customers and employees.”
The FTC would like Chegg to improve data security and set limits on the data it requests and stores. It is also proposed to offer users two-factor authentication and the ability to access and delete stored data.
“Chegg quickly handled the sensitive information of millions of students,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security measures, offer consumers an easy way to delete their data and limit the collection of information on the front end. The commission will continue to act aggressively to protect personal data.”
Chegg data breach
The FTC alleged in its official complaint that the four data breaches exposed all the personal information of its employees and users. The first was in 2017, when a hacker gained access to employee direct deposit information following a phishing attack.
The following year, a former Chegg contractor used the login credentials to access a third-party cloud database that contained the personal information of about 40 million users. Some of this data was later found for sale on the Internet. Two more data breaches followed, involving phishing attacks targeting Chegg employees.
The FTC believes these data breaches occurred because Chegg:
- Failed to implement elementary security measures
- Has unsafe methods of storing information
- Failure to develop adequate safety and training policies
Steps Chegg will need to take
The Federal Trade Commission outlined a series of steps Chegg should take:
- Details and limitations of data collection.
- Give users access to data.
- Use multi-factor authentication or another similar method.
- Implement a security program.
All of this falls under the FTC’s efforts to protect personal data obtained through educational technology. In May, the Commission warned education technology companies against collecting personal information of children under 13, as it violates the Children’s Online Privacy Protection Act.
The FTC will soon publish information about the consent agreement package in the Federal Register. The public will have 30 days to comment, after which the Commission will decide whether to consider it final.
Want to learn more about how the FTC protects you? Read Amazon’s investigation into Prime account fraud.
Image credit: Unsplash. All screenshots by Laura Tucker.
Was this article helpful?
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox