On October 31, 2022, the Federal Trade Commission (FTC) announced it has taken action against education technology provider Chegg Inc. (“Chegg”) for its “careless” cybersecurity practices that exposed sensitive personal information of millions of its customers and employees. This action highlights the FTC’s continued efforts to aggressively protect consumer personal data.
The FTC’s complaint alleges that the California-based company’s lax security practices led to four separate data breaches between 2017 and 2020, three of which involved phishing attacks that successfully targeted Chegg employees. The fourth incident involved unauthorized access by a former Chegg contractor to one of the company’s third-party cloud databases and exposing the personal information of approximately 40 million customers in 2018. Some of the stolen personal information, which included names, email addresses, passwords, and for certain students, date of birth, religion, sexual orientation, disabilities, and their parents’ income range, was later found for sale online. These lax security practices, according to the FTC, constitute unfair acts or practices under Section 5 of the FTC Act, as the failure to maintain reasonable security measures caused or is likely to cause substantial injury to customers. The FTC also found that Chegg made deceptive representations, also a violation of Section 5 of the FTC Act, by claiming that it used reasonable measures to protect personal information of customers.
According to the FTC, these breaches were the result of poor data security practices, such as:
- Lack of multifactor authentication;
- The use of a single access key by employees and contractors that granted full administrative rights to all data in Chegg’s databases;
- Storing users’ and employees’ information in plain text;
- Failure to monitor networks suspicious activity;
- Failure to implement a written security policy until January 2021; and
- Not providing adequate employee security training even after three phishing attacks.
The proposed order will require Chegg to improve its cybersecurity practices by: (1) implementing a comprehensive information security program; (2) encrypting certain sensitive data at rest, including, at a minimum, Social Security numbers, passport numbers, financial account information, tax information, dates of birth, medical information, and users account credentials to Chegg’s computer networks, including its cloud storage (Amazon Web Services); (3) implementing multifactor authentication to help users and employees secure their accounts; (4) providing appropriate phishing training to employees; (5) limiting collected and stored data; and (6) allowing customers to access and delete personal information collected about them. Continuing the FTC’s focus on data disposal and minimization, Chegg must, within 60 days after the issuance of the order, document and adhere to a retention schedule for certain “Covered Information” which includes certain personal information data elements. Chegg must further notify all individuals impacted by one of the four breaches who did not previously receive notice seemingly using a notice template provided by the FTC as Attachment A, which may provide valuable insight into how the FTC will evaluate the sufficiency of companies’ breach notifications moving forward.
The FTC’s proposed order against Chegg serves as a warning for companies to consider implementing the following security controls:
- Deploy multifactor authentication to protect against unauthorized access to user accounts;
- Secure sensitive information, including consumer personal information. Particularly, strong cryptographic protocols are preferred and companies should generally avoid depreciated encryption protocols, like MD5, which the FTC cited as an inadequate encryption standard in this order against Chegg, as well as the recent proposed order against Drizly;
- Limit access to sensitive information;
- Limit the number of users with privileged root access to company’s core databases;
- Respond to data security incidents in a timely fashion and remediate known security gaps; and
- Conduct regular security awareness training and phishing testing.
The proposed order is subject to a 30-day public comment period after which the FTC will decide whether to make the proposed consent order final.