Education Company Chegg Acknowledges Data Breach, Puts 40 Million Users on Notice

Managing Editor

The tutoring and textbook company Chegg recently acknowledged a data breach that potentially affected 40 million users, in just the latest revelation of an education business’ vulnerability to hacking.

The California-based company, which made its name as hub for rentals of college textbooks, revealed the breach on Sept. 19 in an 8K financial disclosure to the Securities and Exchange Commission.

It took time for the news to reach investors, but when it did, Chegg’s stock price fell sharply, from a recent peak of more than $32 a share on Sept. 25 to $27.42 less than a week later.

In its statement, Chegg said that the breach occurred on around April 29 of this year. An unauthorized party gained access to a company database that hosts users of and a number of other company brands, including EasyBib, a Chegg subscription service to help with writing and citations.

“The Company understands that the information that may have been obtained could include a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password,” the company said.

No social security numbers or financial information such as users’ credit card numbers or bank information was revealed, the company asserted.

News of Chegg’s data breach emerged two weeks after the FBI issued a warning about data-privacy risks posed schools’ use of ed-tech that collects personal information, from web search histories to biometric data.

Chegg’s main focus is in higher education, and its business includes tutoring, homework assistance and other services, some of which draw high school users.

Despite Chegg’s postsecondary focus, the security lapse offers a “case study” for pre-college providers and schools on data-security risks, said Phil Hill, a consultant, in an interview. Hill wrote about the data breach on his blog, e-literate. “If I were a K-12 company I’d be watching this very closely.”

Chegg officials said in their statement that they began notifying 40 million active and inactive registered users and “certain regulatory authorities” on Sept. 26.

Company spokesman Marc Boxser told EdWeek Market Brief this week that the company is informing all of its users who were potentially affected by the breach, and telling them to reset their passwords, “out of an abundance of caution.”

All password resets are expected to be completed by today, Boxser said.

New Regulations Set the Bar

One of the first to call attention to the Chegg breach was Hill, an education consultant and market analyst for the company MindWires Consulting who posted a blog and a tweet about the SEC disclosure.

Investors may have been spooked not only by the vulnerabilities laid bare by the data breach, but also by the possibility that some Chegg users who did not realize they were still subscribing to various company services would get a data-security notice and then want to opt out, speculated one Morgan Stanley analyst, as quoted by Bloomberg.

One of the more pressing questions is whether the breach will draw the scrutiny of data-privacy regulators, said Hill in an interview. He pointed to the new rules put in place as part of GDPR, the sweeping European data privacy regulation that took effect earlier this year.

The European policy has come into focus recently with the admission by social media giant Facebook — which has a major presence in schools — that hackers gained access to 50 million of its accounts. European authorities have said they are investigating how many users on the continent were affected, and whether it would trigger GPDR enforcement.

Facebook could face a fine of around 4 percent of its revenues, or $1.6 billion by some accounts, if it was found to have violated GDPR.

Boxser said Chegg is “principally U.S.-based, and the core focus of our business is the United States.”

“We are providing notice to the particular regulatory agencies, in the U.S. and internationally — including Europe,” he said. He declined to name the regulators.

Follow EdWeek Market Brief on Twitter @EdMarketBrief or connect with us on LinkedIn.

See also:

12 thoughts on “Education Company Chegg Acknowledges Data Breach, Puts 40 Million Users on Notice

  1. It is appropriate time to make some plans foor the future and
    it’s time to be happy. I’ve read this post and if I coulld I want to suggest you few interesting things or tips.
    Maybe you could write next articles referring to this article.
    I desire to read even moree things about it!

  2. Terrific post however , I was wanting to know if you could write a litte more
    on this topic? I’d be very grateful if you could elaborate a little bit further.

    Bless you!

  3. Robloxian Excessive School and Roblox High
    Faculty: Two function-enjoying games with the same concept; it
    is set in a small town high school, where you may make
    friends, go to class, drive cars or use skateboards, select what type of
    person you need to be (freshman, sophomore, principal and the like)
    and partake in after-school activities.

  4. Turnkey interior contractor in Bangalore Turnkey interior contractor in Dehradun Turnkey interior contractor in Jaipur Turnkey interior contractor in Delhi Turnkey interior contractor in Chandigarh Turnkey interior contractor in Lucknow Turnkey interior contractor in Mohali Turnkey interior contractor in Panchkula Turnkey interior contractor in Zirakpur Turnkey interior contractors in Gurgaon Turnkey interior contractor in Noida Turnkey interior contractor in Ghaziabad Turnkey interior contractor in Faridabad

Leave a Reply