From one point of view.
- FTC Takes Action Against Education Tech Firm Chegg.
- An arrest warrant has been issued for the extortionist from Vastaamo.
FTC Takes Action Against Education Tech Firm Chegg. An arrest warrant has been issued for the extortionist from Vastaamo.
The US Federal Trade Commission (FTC) has announced that it is taking action against California-based education technology provider Chegg Inc., which has suffered four security breaches in the past five years, exposing confidential customer and employee data. The FTC alleges that the breaches were the result of Chegg’s poor data protection practices and the company’s failure to fix those problems. In one attack, an employee was tricked into giving a hacker access to employee direct deposit information, and in another attack, a former Chegg contractor gained access to one of Chegg’s third-party cloud databases containing the personal data of approximately 40 million customers. The breached data included student email addresses, passwords and, for some users, sensitive scholarship data such as parents’ income levels, sexual orientation and health status, as well as employee medical and financial information.
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said: “Chegg quickly accessed the confidential information of millions of students. Today’s order requires the company to strengthen security measures, offer consumers an easy way to delete their data, and limit the collection of information on the front end.” Additionally, Chegg, which sells educational products and services such as online tutoring and scholarship programs for high school and college students, will be required to offer users multi-factor authentication to better protect their accounts. In May, the FTC issued a policy statement warning education technology companies that collecting personal information from children under the age of 13 and not adequately protecting that data is a violation of the Children’s Online Privacy Protection Act, and the lawsuit against Chegg underscores the obligation implementation of this legislation by the Commission. “The lawsuit against Chegg is part of the FTC’s aggressive effort to ensure that education technology companies protect and secure the personal data they collect and not collect more information than necessary,” the statement said.
Joe Garber, director of marketing at Axiad, sees a case for an identity-based attack, a style of cyber attack that many organizations are ill-equipped to handle:
“This news is yet another example of an organization being so ill-prepared for an identity-based cyber attack and then paying for it. In this case, the warning signs were certainly visible, with four breaches in the last three years meaning the last one could have been prevented. The U.S. Federal Trade Commission’s (FTC) demand for specific changes to an organization’s cybersecurity system makes sense in this context, including actions needed to better protect user accounts. However, the mandate to simply implement MFA probably doesn’t go far enough, given the organization’s history of being vulnerable to phishing attacks. It’s important to be aware that not all MFAs are created equal, and attackers can often subvert the authentication process – often by stealing user credentials through fake login pages – with fewer options. MFA, backed by phishing-resistant methods such as FIDO2 and Certificate-Based Authentication (CBA), as well as the use of trusted hardware tokens and compliance with standards such as user behavior validation, provides the most reliable level of security against phishing attacks. Such an approach would seem to be appropriate in this situation.”
An arrest warrant has been issued for the extortionist from Vastaamo.
The Finnish psychotherapy center Vastaamo suffered a series of data breaches starting in 2018, which led to the disclosure of confidential patient data, which then ended up in the hands of an extortionist who tried to blackmail not only the Center, but also individual Vastaamo clients. the threat of revealing their innermost secrets. The breach was the result of Vastaamo’s mishandling of patient data and therapy session records stored in a poorly secured online database, and Naked Security offers detailed information on the incident’s aftermath. Last month, the Helsinki Times reported that Vastaamo’s former CEO Ville Tapio would be charged not only with data mishandling, but also with failing to report the leak in an attempt to hide the incident from authorities. In addition, Finland’s National Bureau of Investigation announced on Friday that an arrest warrant had been issued for the alleged extortionist. While the suspect’s name has not been released, authorities say he is a Finnish citizen living abroad and was taken into custody in absentia. If arrested, he will be handed over to Finnish authorities.