FTC slams Chegg for chronic, ‘negligent security’ | Techno Glob

Dive Brief:

  • Chegg, the online tutoring and textbook rental company, has long been in the Federal Trade Commission’s crosshairs for poor security practices after it exposed the personal information of nearly 40 million customers and employees.
  • Chegg, which caters to high school and college students, “failed to address issues with data security after experiencing four security breaches between 2017 and 2020,” the FTC alleged in the complaint. Proposed Order Company Vs.
  • The FTC will require Chegg to explain what data it collects, why it’s collecting the information, and when it will be deleted. The company must also delete unnecessary data, allow customers to access data collected about them, and request Chegg to delete that data.

Dive Insight:

Chegg, which the FTC has accused of “reckless security,” is the second firm the federal agency has held responsible for cybersecurity lapses in the past week. FTC Similar measures were imposed on Drizly over security practices that exposed the data of nearly 2.5 million consumers last week.

The FTC reported four security breaches at Chegg in September 2017, April 2018, June 2019 and April 2020. Three of the breaches involved phishing attacks that successfully targeted employees.

During the April 2018 breach a former Chegg contractor used legitimate login credentials to access a third-party cloud database containing the personal information of nearly 40 million consumers, according to the FTC. Some of the data stolen by Chegg’s former contractor was later found for sale online.

The personal information exposed during the breach, Chegg’s most extensive and damaging, included names, email addresses, passwords and some users’ sensitive scholarship data such as date of birth, parental income range, sexual orientation and disability, the FTC said.

Chegg, a California-based company that was founded in 2005 and went public in 2013, did not have a written security policy or provide adequate security training to employees and contractors as of January 2021. The company stored personal data in a simple format on a cloud storage database. Text with weak encryption until at least 2018, the agency said.

The incidents referenced in the FTC’s complaint occurred two years ago, and the company will fully comply with the mandates in the proposed order, a Chegg spokesperson told Cyber ​​Security Dive.

“Chegg took a shortcut with millions of students’ sensitive information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “[Monday’s] The order requires the company to strengthen security safeguards, provide customers with an easy way to delete their data and limit information collection on the front end.”

The agency must mandate an information security program to comply with those security measures within 90 days and provide multifactor authentication to all users within six months. Chegg is also required to comply with a third-party security assessment and provide an annual certification from a senior executive responsible for the company’s security program.

“We have been improving and improving our security program over the years. Most of the information security program requirements are already part of our operations, and we will comply with any remaining pieces as required by the order,” a Chegg spokesperson said via email.

Source link