Educational company Chegg's “lax security” resulted in data breaches that exposed students' religions, sexual orientation, disabilities and other sensitive data, the Federal Trade
Commission alleged in a complaint unveiled Monday.
Cheggg -- which offers services including online tutoring, textbook renting and scholarship-related information -- suffered four data
breaches between 2017 and 2020, according to the FTC.
Three of the data breaches occurred as a result of phishing attacks, while a fourth occurred when a former contractor obtained information
Chegg had stored in Amazon's cloud, the Amazon Web Services, the complaint alleged. That cloud data included
information relevant to students' searches for scholarships, such as birthdates, religions, disabilities and parents' income.
The FTC said in its complaint that even though Clegg
encrypted passwords, the company used an outdated encryption technology.
“Had Chegg employed reasonable access controls and monitoring, it would have likely detected and/or stopped the
attack more quickly,” the FTC alleged.
In addition to student data, hackers also obtained data about Clegg employees, the FTC alleged.
The agency claimed that Clegg engaged in a
deceptive practice by stating in its privacy policy that it took “commercially reasonable security measures” to protect users' data, and that it acted unfairly by failing to take
reasonable steps to protect personal information.
Chegg didn't admit to any wrongdoing, but agreed to establish a comprehensive security program and obtain independent biennial assessments by
a third-party for 20 years.
The company also agreed to establish a retention schedule for consumer information, and give consumers the opportunity to request to access their data, or request
its deletion.
A Chegg spokesperson said data privacy is “a top priority,” and that the company “is wholly committed to safeguarding users’ data and has worked with
reputable privacy organizations to improve our security measures and will continue our efforts.”