The FTC has taken action against Chegg for exposing sensitive student data | Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images
The Federal Trade Commission filed a complaint on Monday against education technology provider Chegg, which has experienced four data breaches since 2017 (via The New York Times).
In one 2018 incident, a former Chegg contractor gained access to one of its third-party cloud databases, exposing personal information such as names, email addresses, and passwords in addition to studentsâ religion, sexual orientation, disabilities, and parentsâ income. Some of the stolen data was later found for sale online. Officials also said Chegg didnât have a written security policy until January 2021 and failed to provide sufficient security training to its employees.
Now the FTC says that across all the breaches, Cheggâs insufficient cybersecurity practices resulted in exposing data for approximately 40 million users. Chegg has agreed to honor a proposed order from the FTC to improve its data security, which will see the company implement multifactor authentication, provide security training to employees, encrypt user data, and allow customers to access and delete their data from the platform.
In a statement provided to The New York Times, Chegg said data privacy was a top priority for the firm and that only a small percentage of users had provided data on their religion and sexual orientation as part of a college scholarship finder feature. âChegg is wholly committed to safeguarding usersâ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts,â the statement said.
âChegg took shortcuts with millions of studentsâ sensitive information,â said Samuel Levine, Director of the FTCâs Bureau of Consumer Protection. âTodayâs order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.â