FTC Takes Action Against Chegg for Alleged Data Breaches

Staff Writer
FTC issues findings against Chegg, EdWeek Market Brief

The Federal Trade Commission says it has filed a legal complaint to force Chegg, an ed-tech company that provides textbook rentals and online homework help, to ramp up its data security efforts after the company allegedly exposed sensitive information about millions of users.

In response, Chegg said in a statement that data privacy is a top priority for the company and it “worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the commission’s administrative order.

Chegg, which has a market cap of roughly $2.7 billion and employs about 1,700 people, saw its stock price closed at $21.11 Tuesday afternoon, down from $22.80 on Friday afternoon. The FTC announced action against the company on Monday.

Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, said in a statement that Chegg “took shortcuts with millions of students’ sensitive information,” and the commission’s proposed consent agreement requires Chegg “to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end.”

The case is tied to four data breaches the company experienced starting in 2017, when the FTC says employees who fell for a phishing attack inadvertently allowed a hacker access to those workers’ direct deposit information. In a 2018 incident, the complaint states that a former contractor used login information that was shared with both employees and contractors to access a database containing personal information of about 40 million customers, including their names, email addresses, and passwords.

Information about birth dates, family income, sexual orientation, and disabilities of students who used a scholarship search feature were also exposed, the commission alleged.

The complaint said two other phishing attacks also resulted in exposing sensitive information about Chegg employees’ medical and financial information.

Actions Required

The breaches were tied to Chegg’s failure to implement basic security measures, such as multi-factor identification and monitoring networks and databases for threats, according to the complaint. The FTC also accused Chegg of using weak encryption to protect passwords and failing to develop adequate security policies and training.

As a result of the breaches, the FTC said it is requiring the company to detail what data it collects and when it will be deleted; provide customers access to data and allow them to delete their data; implement multi-factor authentication to both customers and employees; and implement a security program that includes encrypting user data and providing security training to employees.

The Commission voted 4-0 to issue the proposed administrative order against Chegg and accept a consent agreement with the company. After publishing the agreement, the Commission will accept public comment for 30 days, after which time the FTC will vote on whether to finalize the proposed order.

In its statement, Chegg noted the incidents in the Federal Trade Commission’s complaint related to issues that occurred more than two years ago and said no monetary fines were assessed.

“We believe our positive negotiations with the FTC are indicative of our current robust security practices, as well as our efforts to continuously improve our security program,” its statement read. “Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.”

The FTC’s crackdown on Chegg comes as ed-tech companies’ data security efforts have been under the microscope, especially in the wake of the pandemic when districts, students, and families increasingly turned to digital tools to help manage remote learning and learning losses.

In May, the FTC issued a policy statement reminding ed-tech companies of their responsibility on data privacy, and that students’ rights cannot be compromised when they access online tools.

Follow EdWeek Market Brief on Twitter @EdMarketBrief or connect with us on LinkedIn.

Image by DigitalVision Vectors/Getty

See also: