FTC sues Chegg after the homework helper suffered four data breaches in three years

The FTC has taken action against Chegg for exposing sensitive student data | Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images

The Federal Trade Commission filed a complaint on Monday against education technology provider Chegg, which has experienced four data breaches since 2017 (via The New York Times).

In one 2018 incident, a former Chegg contractor gained access to one of its third-party cloud databases, exposing personal information such as names, email addresses, and passwords in addition to students’ religion, sexual orientation, disabilities, and parents’ income. Some of the stolen data was later found for sale online. Officials also said Chegg didn’t have a written security policy until January 2021 and failed to provide sufficient security training to its employees.

Now the FTC says that across all the breaches, Chegg’s insufficient cybersecurity practices resulted in exposing data for approximately 40 million users. Chegg has agreed to honor a proposed order from the FTC to improve its data security, which will see the company implement multifactor authentication, provide security training to employees, encrypt user data, and allow customers to access and delete their data from the platform.

In a statement provided to The New York Times, Chegg said data privacy was a top priority for the firm and that only a small percentage of users had provided data on their religion and sexual orientation as part of a college scholarship finder feature. “Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts,” the statement said.

“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”