Federal government cracks down on education technology companies for improper security measures, affecting millions of users

CHARLOTTE, NC (WBTV) – The Federal Trade Commission is issuing strong orders to a popular education technology company used by millions of high school and college students.

Earlier this week, the FTC filed a complaint against the company Chegg Inc. over its lax security measures, which exposed millions of users’ personal information, including passwords, gender, sexual orientation, family income, and employees’ direct deposit information.

According to that ComplaintChegg has reportedly failed to update and strengthen its security measures, despite multiple breaches dating back to 2017.

“Chegg has truncated the sensitive information of millions of students,” said Samuel Levine, director of the FTC’s Consumer Protection Bureau. “[This] Mission requires the company to strengthen safeguards, provide consumers with an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”

The web-based business allows users to buy/borrow and sell textbooks, get textbook homework help, use tutoring services, and use the website to search for scholarships.

Tay-Keara Bristol, a graduate student at Johnson C. Smith University who has an account with Chegg, says she was discouraged when she heard about the data breaches.

“It’s definitely a concern because we only use these sites to get extra help in class and the class is hard enough as it is,” Bristol said. “It’s very worrying to have to worry about your passwords and your information being leaked because there’s a lot you can do with those passwords.”

According to the complaint document, in April 2018 a former contractor accessed one of the company’s third-party cloud databases using credentials that Chegg shared with current employees and outside contractors. The former contractor accessed the database containing the personal information of more than 40 million users who used the site’s grant search program.

This personal data included names, passwords, gender identity, sexual orientation, national origin, family income and disabilities.

Additionally, the FTC states that Chegg stored user information in the clear without proper encryption.

The complaint further states that employees were victims of phishing attacks in 2019 and 2020.

Data protection is a top priority for Chegg. Chegg has worked cooperatively with the Federal Trade Commission on these matters to find a mutually acceptable outcome and will fully comply with the mandates set out in the Commission’s administrative order. The incidents in the Federal Trade Commission’s complaint related to problems that arose more than two years ago. No fines were imposed,” a spokesman for Chegg said in a statement.

UNC Charlotte student Stephen Beckett has used Chegg in the past to help with his homework but now says he has doubts about using the site.

“A lot of my friends use it, I’ve used it in the past, it’s scary knowing your information is out there for everyone,” Beckett said.

Related: UCPS parents share concerns about student data vulnerabilities

According to the documents, the FTC claims that as of 2021, Chegg had no written securities policies, standards, procedures or practices. In addition, the commission says that Chegg failed to provide its employees with adequate data security training, did not have multi-factor authentication, and stored users’ personal information after it was no longer needed.

WBTV spoke to Chris Furtick, the director of incident response and security engineering at Fortalice Solutions, a cybersecurity company.

“It’s unfortunate that it took the FTC four data breaches to respond, but hopefully it’ll teach other companies to make sure they’re providing adequate controls over customer data,” Furtick said.

According to Furtick, users can take two steps to protect themselves in the future: having unique passwords and applying a credit lock if their financial information is exposed.

“Make sure you have a unique password there so that if there’s a breach on any of those services, you don’t expose yourself to all your other accounts,” Furtick said. “The next thing you need to do is put in place a credit freeze, you can do this through any of the major credit bureaus and this will ensure that no accounts can be opened in your name based on information stolen from any of them Service provider.”

The FTC orders Chegg to do the following:

  • Data collection detailed and limited: Chegg must document and follow a schedule that establishes what personal information the company collects, why it collects the information, and when it deletes the information.
  • Providing consumer access to data: Chegg must provide its customers with access to data collected about them and allow them to request that the company erase that data.
  • Implement multifactor authentication: Chegg must offer its customers and employees multi-factor authentication or another authentication method to protect their accounts.
  • Implement security program: Chegg must implement a comprehensive information security program that addresses the deficiencies in the company’s data security practices, including encrypting consumer data and providing security training to its employees.

JCSU student Kobe Livingstone told WBTV that he was also reluctant to continue using Chegg, knowing the company’s history of security issues.

“I hope things get better. I hope they take better precautions about their use, but until then I can’t see myself using anything like this again,” Livingstone said.

Chegg released a statement to WBTV that it was working to improve its security procedures.

“We believe our positive negotiations with the FTC are an indication of our current robust security practices and our efforts to continuously improve our security program. Chegg is fully committed to protecting user privacy and has worked with reputable privacy organizations to improve our security measures and will continue our efforts. Most of the safety requirements are already part of our operations. Any additional requirements will apply according to the timelines set forth in our agreement with the FTC,” a Chegg spokesman said in a statement.


Leave a Reply

Your email address will not be published. Required fields are marked *