Federal Trade Commission takes action against Chegg, an Ed Tech provider, for exposing personal data of millions of customers due to careless security

November 22, 2022 |

The Federal Trade Commission (the “FTC”) has been quite an assertive regulator on privacy issues in the United States.  It has its fair share of detractors however it has been successful in developing a body of law relating to businesses not complying with their representations as to privacy and data security.  It has been so successful in that respect that Daniel Solove, a prominent privacy academic in the United States has suggest that the FTC has developed the common law of privacy.  The FTC has developed very effective consent agreements, enforceable undertakings in Australian parlance, should provide a very useful template when drafting obligations on entities in Australia which interfere with Australian’s privacy.  The enforceable undertakings imposed by the Australian Information Commissioner to date are anemic by comparison.  They may also be useful inspiration when, hopefully and eventually, individuals have a right to bring action against companies and government agencies and terms of settlement are required.

The FTC has brought an action against Chegg for careless security which led to four separate data breaches in the space of 3 years being:

  • in September 2017, Chegg employees fell for a phishing attack, giving the threat actors access to employees’ direct deposit information
  • in April 2018, a former contractor accessed one of Chegg’s S3 databases using an AWS Root Credential  to exfiltrated a database containing personal information of approximately 40 million users of the Chegg platform.  Chegg only discovered this data breach when informed by a threat intelligence vendor
  • in April 2019, a senior Chegg executive fell victim to a phishing attack, giving the threat actor access to the executive’s credentials to Chegg’s email platform and exposing personal information about consumers and employees of Chegg.  The email system was in a default configuration state that allowed a bypass of Chegg’s multifactor authentication requirement.
  • in April 2020, Chegg’s senior employee responsible for payroll fell victim to a phishing attack, giving the threat actor access to the employee’s credentials to Chegg’s payroll system . W-2 information, including the birthdates and Social Security numbers, of approximately 700 current and former employees, was exfiltrated.

Needless to say the failure of Chegg to improve data security after the first and second data breaches is a focus of the FTC complaint.

The above data breaches are regular enough occurrences in Australia.  The failure to properly remediate and improve data security after a data breach is also all too common with Australian organisations.

The FTC statement provides:

he Federal Trade Commission is taking action against education technology provider Chegg Inc. for its lax data security practices that exposed sensitive information about millions of its customers and employees, including Social Security numbers, email addresses and passwords. Chegg allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017. The FTC’s proposed order requires the company to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.

“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”

The California-based company has sold educational products and services targeted to high school and college students, including online tutoring and a college scholarship search service. Chegg collects a variety of personal information about its users. For example, as part of its scholarship search service, Chegg has collected information about users’ religious denominations, heritage, dates of birth, sexual orientation, and disabilities. It also has collected and stored sensitive personal information about its employees, including dates of birth, Social Security numbers, and financial and medical data.

In a complaint, the FTC alleged that Chegg failed to protect the personal information it has collected from its users and employees. As a result, the company experienced four data breaches that exposed that personal information. The first occurred in September 2017, when multiple Chegg employees fell for a phishing attack that allowed a hacker to gain access to employees’ direct deposit information. Less than a year later, a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party cloud databases containing personal information of approximately 40 million customers. The exposed personal information included names, email addresses, passwords, and for certain users, sensitive scholarship data such as dates of birth, parents’ income range, sexual orientation, and disabilities. In the next two years, Chegg experienced two more data breaches involving phishing attacks that successfully targeted Chegg employees. These attacks exposed sensitive data about Chegg’s employees including medical and financial information.

The FTC’s complaint alleges that these data breaches stemmed from Chegg’s poor data security practices, which included:

    • Failing to implement basic security measures: The FTC alleged that despite its promises, Chegg failed to use “commercially reasonable security measures” to protect personal information it collected and stored. For example, at various times throughout the relevant time period, it did not require employees to use multifactor authentication measures to log into its third-party databases, allowed employees and contractors to use a single login to access those databases, and failed to monitor its network and databases for threats.
    • Storing information insecurely: Chegg stored personal data on its cloud storage databases in plain text and used until at least 2018 outdated and weak encryption to protect user passwords.
    • Failing to Develop Adequate Security Policies and Training: Even after experiencing three phishing attacks, the company failed to provide adequate security training to employees and contractors and implement a written security policy until January 2021.

As a result of these failures, some of the data about Chegg’s 40 million customers stolen by its former contractor was later found for sale online. Chegg’s failure to protect its employees’ medical and financial data was particularly problematic since this information is valuable on the open market and is used to commit identity theft and fraud, according to the complaint.

As part of the proposed order, Chegg will be required to take several steps to address the problems outlined in the FTC’s complaint including:

    • Detail and Limit Data Collection:Chegg must document and follow a schedule that sets out what personal information the company collects, why it collects the information, and when it will delete the information.
    • Provide Consumer Access to Data: Chegg must provide its customers access to data collected about them and allow them to request that the company delete that data.
    • Implement Multifactor Authentication:Chegg must provide multifactor authentication or another authentication method to its customers and employees to help protect their accounts.
    • Implement Security Program: Chegg must implement a comprehensive information security program that addresses the flaws in the company’s data security practices including encrypting consumer data and providing security training to its employees.

The action against Chegg is part of the FTC’s aggressive efforts to ensure education technology companies protect and secure personal data they collect and do not collect more information than is necessary. In May 2022, the Commission issued a policy statement warning education technologies against illegally collecting personal information from children under 13 in violation of the Children’s Online Privacy Protection Act, which also requires companies to secure the data they collect. The Commission also is taking steps to bolster security market-wide, including initiating  an advance notice of proposed rulemaking on commercial surveillance and lax data security practices. And the FTC continues to hold companies accountable for failing to secure consumer data. Earlier this month, the FTC announced an order with the online alcohol delivery marketplace Drizly and its CEO for its lax data security practices.

According to the Complaint:

  • the sensitive information Chegg collects can include a user’s:
    • religious denomination,
    • heritage,
    • date of birth,
    • parents’ income range,
    • sexual orientation, and
    • disabilities
    • videos of tutoring sessions that included Chegg users’ images and voices
  • Chegg collects employees names, dates of birth, Social Security numbers, and financial information
  • Chegg’s lax security practices included failing:
    • to implement reasonable access controls to safeguard users’ personal information stored in S3 databases by failing:
      • to require employees and third-party contractors to use distinct access keys instead permitting them to use a single AWS access key that provided full administrative privileges over all data
      • to restrict access to systems based on employees’ or contractors’ job functions;
      • to require multi-factor authentication ; and
      • to rotate access keys to the S3 databases;
    • storing users’ and employees’ personal information on Chegg’s network and databases in plain text, rather than encrypting it
    • using outdated and unsecure cryptographic hash functions to protect users’ passwords
    • to develop, implement, or maintain adequate written organizational information security standards, policies, procedures, or practices
    • to provide adequate guidance or training for employees or third-party contractors regarding information security and safeguarding users’ and employees’ personal information, including failing to require data security training
    • to have a policy, process, or procedure for inventorying and deleting users’ and employees’ personal information after that information is no longer necessary.
    • to adequately monitor its networks and systems for unauthorised attempts to transfer or exfiltrate users’ and employees’ personal information outside of Chegg’s network boundaries

As is usual the media coverage was extensive and damning including Bleeping Computer’s Chegg sued by FTC after suffering four data breaches within 3 years and the Register’s Education tech giant gets an F for security after sensitive info on 40 million users stolen.

Leave a Reply

Verified by MonsterInsights