FTC Sues Online Educational Company Over Data Breaches
- by Wendy Davis @wendyndavis, October 31, 2022
Educational company Chegg's “lax security” resulted in data breaches that exposed students' religions, sexual orientation, disabilities and other sensitive data, the Federal Trade Commission alleged in a complaint unveiled Monday.
Cheggg -- which offers services including online tutoring, textbook renting and scholarship-related information -- suffered four data breaches between 2017 and 2020, according to the FTC.
Three of the data breaches occurred as a result of phishing attacks, while a fourth occurred when a former contractor obtained information Chegg had stored in Amazon's cloud, the Amazon Web Services, the complaint alleged. That cloud data included information relevant to students' searches for scholarships, such as birthdates, religions, disabilities and parents' income.
The FTC said in its complaint that even though Clegg encrypted passwords, the company used an outdated encryption technology.
“Had Chegg employed reasonable access controls and monitoring, it would have likely detected and/or stopped the attack more quickly,” the FTC alleged.
In addition to student data, hackers also obtained data about Clegg employees, the FTC alleged.
The agency claimed that Clegg engaged in a deceptive practice by stating in its privacy policy that it took “commercially reasonable security measures” to protect users' data, and that it acted unfairly by failing to take reasonable steps to protect personal information.
Chegg didn't admit to any wrongdoing, but agreed to establish a comprehensive security program and obtain independent biennial assessments by a third-party for 20 years.
The company also agreed to establish a retention schedule for consumer information, and give consumers the opportunity to request to access their data, or request its deletion.
A Chegg spokesperson said data privacy is “a top priority,” and that the company “is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.”
