November 2, 2022

FTC brings action against education technology company for failing to protect data

The US Federal Trade Commission has issued a draft complaint and simultaneously issued a consent order and agreement with Chegg, Inc., an educational technology company based in Santa Clara, California.  

Chegg’s business includes the sale of educational products and services directly to high school and college students.  The services include textbook rental, online tutoring, and writing assistance. As part of its online tutoring program, Chegg records videos of tutoring sessions, and as part of its scholarship search service, the company collects information about its users’ religious affiliations, heritage, birthdates, parents’ income, sexual orientation and disabilities.

The FTC alleged that Chegg’s practices around the collection and storage of this sensitive data were lax during the period from 2017 to the present.  To store sensitive customer and employee information, Chegg used a third-party cloud service.  The FTC found that Chegg allowed the data to be stored in plain, rather than encrypted, text, and that the company failed to require employees and third parties who accessed the cloud service storage “buckets” to use distinct access keys; nor did Chegg require multi-factor authentication for access to the storage databases.  Additionally, until 2018 the company used outdated and unsecure cryptographic hash functions to protect users’ passwords, failed to train employees and contractors regarding information security, and until January 2021, failed to implement adequate written organizational information security standards, policies and procedures.  According to the FTC, the company also failed to monitor its networks for attempts at unauthorized access and exfiltration of the personal data stored there.

The FTC found that Chegg’s lax information security practices failed to provide reasonable security for the personal information it collected from consumers and employees – the latter included social security numbers and bank account information — and led to exposure and compromise of the data on several occasions:

  • In September 2017, Chegg employees without training in safe data security practices succumbed to phishing attacks that exposed employees’ direct deposit information.
  • In April 2018, a former contractor exfiltrated a database containing the scholarship search information of approximately 40 million applicants in plain text, along with the users’ passwords, which were encrypted using an outdated, decodable cryptographic function.Six months later, when Chegg was informed by a threat intelligence vendor that some of the exfiltrated data was available online, Chegg implemented some access controls and required users to change their passwords, but the company allowed important security deficiencies to persist.
  • In 2019 and 2020, a Chegg executive and a senior payroll employee fell victim to phishing attacks that exposed the financial and medical information of hundreds of employees.The executive’s email was configured such that multifactor authentication was bypassed.The FTC found that these hacks might not have been successful if the employees had been properly trained and if the email had been configured appropriately.

In its complaint, the FTC states that Chegg’s published privacy policy was deceptive in that it provided that Chegg “takes commercially reasonable security measures to protect the Personal Information submitted to us” and “take[s] steps to ensure that your information is treated securely.” 

Under the terms of the consent order, Chegg and its officers, agents and employees must not misrepresent the extent to which the company collects, maintains and deletes data, and the extent to which it protects the privacy, security and integrity of that data.  The order also requires that Chegg document and adhere to an acceptable retention schedule for the data it collects from consumers and employees, and provide channels of communication whereby users can request access to and deletion of their data.  The company will be required to notify users whose information was exposed in one of the identified breaches.  It must also offer mutifactor authentication methods to its users.

Importantly, the order requires Chegg to establish, implement and maintain a comprehensive information security program that entails documentation; evaluation; annual risk assessment; designation of a qualified employee to be responsible for the program; implementation and documentation of safeguards that control for internal and external data security risks; annual employee training; the establishment of an incident response plan; mandatory multifactor authentication for all employee and contractor access; encryption of social security, tax, medical and financial information; up-to-date configuration standards; policies and procedures for the installation and inventory of information technology assets; timely investigation and remediation of security events; the implementation of adequate vulnerability and patch management procedures; testing and monitoring of data security safeguards, and; proper due diligence on third parties or acquired entities that maintain, process or transmit sensitive data.

The order also requires that Chegg engage an independent third-party monitor to assess and report on the company’s compliance with provisions of the order biennially for twenty years.  Annual certification of compliance by a senior corporate manager or senior officer is also mandated, as are reports to federal state or local authorities within ten days of a security incident.

FTC press release | Complaint | Decision and order