The Federal Trade Commission is taking action against education technology provider Chegg Inc. for its lax data security practices that exposed sensitive information about millions of its customers and employees, including social security numbers, email addresses and passwords. Chegg has allegedly failed to address its data security issues despite four security breaches since 2017. The FTC’s proposed order requires the company to strengthen its data security, limit the data the company can collect and store, offer users multi-factor authentication to protect their accounts, and allow users to access and delete their data.
“Chegg was quick to use the confidential information of millions of students,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security measures, offer consumers an easy way to delete their data and limit the collection of information on the front end. The commission will continue to act aggressively to protect personal data.”
The California-based company sold educational products and services aimed at high school and college students, including online tutoring and a college scholarship search service. Chegg collects a variety of personal information about its users. For example, as part of its scholarship search service, Chegg collects information about religious affiliation, heritage, dates of birth, sexual orientation, and disabilities. It also collected and stored sensitive personal information about its employees, including dates of birth, social security numbers, financial and medical records.
In the complaint, the FTC alleged that Chegg failed to protect the personal information it collected from its users and employees. As a result, the company suffered four data breaches that exposed this personal information. The first occurred in September 2017, when several Chegg employees fell victim to a phishing attack that allowed a hacker to access employee direct deposit information. Less than a year later, a former Chegg contractor used login information the company provided to employees and third-party contractors to access one of Chegg’s third-party cloud databases containing the personal information of approximately 40 million customers. The personal information exposed included names, email addresses, passwords and, for some users, sensitive scholarship data such as dates of birth, parents’ income levels, sexual orientation and disability. Over the next two years, Chegg experienced two more data breaches involving phishing attacks that were successfully targeted against Chegg employees. Those attacks exposed sensitive data about Chegg employees, including medical and financial information.
The FTC’s complaint alleges that these data leaks were caused by Chegg’s poor data protection practices, which included:
- Non-observance of basic safety measures: The FTC alleged that, despite its promises, Chegg failed to use “commercially reasonable safeguards” to protect the personal information it collected and stored. For example, at various times during the relevant time period, the company failed to require employees to use multifactor authentication measures to log into its third-party databases, allowed employees and contractors to use a single login to access those databases, and failed to monitor its networks and databases for threats .
- Unreliable storage of information: Chegg stored personal data in its cloud-based databases in plain text and used outdated and weak encryption to protect user passwords until at least 2018.
- Failure to develop an adequate safety policy and training: Even after three phishing attacks, the company failed to provide adequate security training for employees and contractors and implement a written security policy by January 2021.
As a result of those failures, some of the data on Chegg’s 40 million customers stolen by its former contractor was later found for sale online. Chegg’s failure to protect its employees’ medical and financial information was particularly problematic because that information is valuable on the open market and used for identity theft and fraud, according to the complaint.
Under the proposed order, Chegg would be required to take several steps to address the issues identified in the FTC’s complaint, including:
- Detailed and limited data collection:Chegg must document and maintain a schedule that states what personal information the company collects, why it collects the information, and when it will delete the information.
- Give the consumer access to the data: Chegg must give its customers access to the data collected about them and allow them to request that the company delete that data.
- Implementation of multi-factor authentication:Chegg must provide multi-factor authentication or another authentication method for its customers and employees to protect their accounts.
- Implement a security program: Chegg must implement a comprehensive information security program that addresses weaknesses in the company’s data security practices, including encrypting customer data and training security personnel.
The lawsuit against Chegg is part of an aggressive effort by the FTC to make education technology companies protect and secure the personal data they collect and not collect more information than necessary. In May 2022, the Commission issued a policy statement warning educational technologies against unlawfully collecting personal information from children under 13, a violation of the Children’s Online Privacy Protection Act, which also requires companies to protect the data they collect. The Commission is also taking steps to strengthen security across the marketplace, including initiating early notification of proposed rulemaking activities on commercial surveillance and data security breaches. And the FTC continues to prosecute companies for failing to protect consumer data. Earlier this month, the FTC announced its order against online alcohol delivery marketplace Drizly and its CEO for its lax data security practices.
The commission voted 4-0 to file the proposed administrative complaint and accept the settlement agreement with Chegg.
The FTC will soon publish a description of the consent agreement package in the Federal Register. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Instructions for submitting comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission files an administrative complaint when there is “reason to believe” that the law has been or is being violated and the Commission believes that the proceeding is in the public interest. When the Commission issues a consent order on a final basis, it has the force of law with respect to future actions. Each violation of such order may result in a civil penalty of up to $46,517.