Edtech company Chegg website with logo showing FTC complaint of data breaches

FTC Takes Legal Action Against Edtech Outfit Chegg Over Years-long String of Data Breaches

A pattern of data breaches that ran for four years, attributed to “carelessness” by the Federal Trade Commission (FTC), has landed edtech giant Chegg in legal trouble.

The FTC has filed a complaint that cites four data breaches that took place between 2017 and 2020, causing the theft of 40 million customer records. The agency attributes these incidents to poor security practices, including shared employee logins and storing data in plaintext. The complaint includes orders to Chegg (and by extension the edtech industry) to tune up its data security program and ensure that customers have access to their stored data.

Chegg security lapses increase expectations for the edtech industry

Chegg has been in business since 2005 and offers a variety of edtech services, including textbook rental and online tutoring. The company saw a tremendous boost in growth during 2020 and 2021 due to the Covid-19 pandemic measures that had most students working from home. But the FTC investigation indicates that the company’s cybersecurity practices had long been insufficient to protect the sensitive data that was being collected.

Chegg’s present legal trouble dates back to about four years prior to the pandemic. From 2017 to 2020 the company experienced four serious data breaches, and the FTC finds that this was not simply a run of bad luck but rather an endemic lack of concern for cybersecurity and safe handling of user data.

In addition to collecting payment information, the edtech giant’s various services (particularly its scholarship search service) also collected assorted categories of sensitive personal information that businesses do not often have access to: disability information, date of birth, household income, religious affiliation, and more. The company used AWS S3 to store all of this information, but reportedly allowed all of its third party contractors to access it with full administrative privileges using a single access key. Employee data stored in plaintext, including Social Security numbers and banking information, was also reportedly at risk.

Reckless use of AWS S3 was far from the only failure that caused trouble for Chegg. The FTC complaint reads like a laundry list of the sort of poor cybersecurity practices that routine employee training is directed at. The company did not encrypt any of its stored data, did not have any multi-factor authentication requirements, used the outdated and insecure MD5 cryptographic function to secure user passwords until 2018, did not have employee or contractor security training in place until 2020, did not have any kind of formal cybersecurity policies in place until 2021, did not properly inventory and delete the outdated personal information it was storing, and was not monitoring the internal network for unauthorized exfiltration of personal information.

Most of the edtech’s data breaches involved phishing, but a rogue former employee of a contractor noticed this very lax internal security in 2018 and took advantage of it to steal 40 million files full of plaintext data and passwords secured only by MD5. Chegg had been handing out its AWS Root Credential to contractors, despite Amazon’s warning to all customers that this should be handled like a “credit card number” or similarly sensitive information. The FTC also found that had the company had adequate security monitoring in place at the time, it would have noticed the files being stolen. Later in 2018 Chegg was notified that the cracked passwords had been found for sale on the dark web, but the company continued to store plaintext customer information in its S3 accounts.

The first of the phishing incidents that led to data breaches was in 2017, when an employee account was compromised and attackers were able to access payroll department direct deposit information. The FTC found that, at the time, the company had no relevant security training for employees in place. A senior Chegg executive was phished in 2019 leading to compromise of the company’s entire email system, which had been configured to bypass MFA to allow for more convenient employee access. And in 2020 a senior payroll employee was phished, leading to tax information for some 700 of the edtech company’s current and former employees being stolen. The FTC found that security training was not updated to address these issues after they occurred.

Sequence of data breaches prompts mandatory security improvements

Chegg has settled the complaint, and the FTC’s order requires the edtech giant to restructure its data protection program. It also must follow a schedule in collecting personal information and notifying data subjects of how it is used, and must also provide access to the stored data and ability to request deletion. And both customers and employees must be provided with two-factor authentication login options. Violations of these orders can bring fines of up to $46,517 for each incident, but the settlement allows the company to avoid any immediate financial penalty.

The legal action appears to be part of a broader crackdown on poor practices in the edtech industry; the FTC issued a policy memo in May indicating that it was targeting the industry over complaints of handling of student data and excessive collection. There have been actions against a variety of industries as of late, however, with major penalties assessed to Uber and alcohol delivery app Drizly for similar issues.

Joe Garber, CMO at Axiad, sees this as likely not enough to turn around the company’s security issues in the near term: “This news is yet another example of an organization not being as prepared as necessary for an identity-based cyberattack, and then paying the price. In this case, the warning signs were certainly visible, as they had four breaches in the last three years, which means the latest was preventable. The U.S. Federal Trade Commission (FTC) requiring specific changes to the organization’s cybersecurity posture makes logical sense in this context – particularly the actions required to better secure user accounts. However, the mandate to simply implement MFA probably doesn’t go far enough given the organization’s history of being targeted with phishing attacks. It is important to know that not all MFA is the same, and bad actors often can subvert the authentication process – often by stealing users’ credentials via fake login pages – with lesser capabilities in place. MFA fortified with phishing-resistant methods such as FIDO2 and Certificate-Based Authentication (CBA), as well as leveraging strong hardware tokens and conforming to standards like user behavior validation, provide the most robust level of security against phishing attacks. Such an approach would seemingly be appropriate in this situation.”