Chegg, Inc. sells educational products and services directly to high school and college students. This includes renting textbooks, guiding clients in finding scholarships, and providing online tutoring. But according to the FTC, the education technology company’s lax security measures led to four separate data breaches in just a few years, resulting in the personal information of approximately 40 million consumers being stolen. The FTC’s complaint and some noteworthy terms in the proposed settlement suggest that it’s time for a data security refresher course at Chegg. Is there anything your company can learn from the FTC’s finding that Chegg failed to meet its standards?
California-based Chegg has amassed a trove of personal information about many of its customers in the course of its business, including their religious beliefs, traditions, dates of birth, sexual orientation, disabilities and parents’ income. Even Chegg employees responsible for cybersecurity describe the data collected by its scholarship search service as “very sensitive.”
A key element of Chegg’s information technology infrastructure is Simple Storage Service (S3), a cloud storage service provided by Amazon Web Services (AWS) that Chegg uses to store large amounts of customer and employee data. You’ll need to read the complaint for the details, but the FTC cites many examples of things Chegg did and didn’t do that show the company’s lax security practices. For example, the Federal Trade Commission claims:
- Chegg allows employees and third-party contractors to access S3 databases using a single access key that provides full management rights to all information.
- Chegg does not require multi-factor authentication to access accounts with S3 databases.
- Chegg does not encrypt data and instead stores user and employee personal information in plain text.
- As of at least April 2018, Chegg used an outdated cryptographic hash function to “protect” passwords.
- Until at least April 2020, Chegg failed to provide adequate data security training to employees and contractors.
- Chegg did not have a process in place to inventory and delete customer and employee personal information once the business no longer needed to maintain it.
- Chegg failed to adequately monitor its network to prevent unauthorized attempts to infiltrate its systems and illegally transfer sensitive material out of its systems.
Is it surprising that the complaint also describes four separate incidents that resulted in the unlawful disclosure of personal information? Incident #1 stemmed from a Chegg employee falling victim to a phishing attack that allowed data thieves to access employees’ direct deposit payroll information. Incident #2 involved a former contractor who used Chegg’s AWS credentials to obtain sensitive information from one of the company’s S3 databases, which ended up on a public website.
Then came Incident 3: a phishing attack that targeted a senior Chegg executive and allowed the intruders to bypass the company’s multi-factor email authentication system. Once inside an executive’s email box, the intruder could access personal information about the consumer, including financial and medical information. In Incident #4, a senior employee responsible for payroll was once again subject to a phishing attack, allowing intruders to gain access to the company’s payroll system. The intruders left behind W-2 messages for about 700 current and former employees, including their dates of birth and Social Security numbers.
In each of the four incidents cited in the complaint, the FTC alleged that Chegg failed to take simple precautions This may help prevent or detect threats to consumer and employee data, for example, by requiring employees to undergo data security training on signs of phishing attempts.
To resolve the case, Chegg agreed to a complete restructuring of its data protection practices. As part of the proposed order, Chegg must follow a schedule outlining the personal information it collects, why it is collected and when it is deleted. Additionally, Chegg must allow customers to access the information collected about them and honor requests to delete that data. Chegg must also provide customers and employees with two-factor authentication or other authentication methods to help protect their accounts. Once the proposed order appears in the Federal Register, the FTC will accept public comments for 30 days.
What can other companies learn from Chegg’s lessons?
Be especially careful when storing sensitive information. Once your company gets hold of sensitive information, you up the ante on your obligation to keep it secure. Once the legitimate business need to maintain the data has passed, security-savvy companies will handle it securely. But perhaps the preliminary question is whether you really need this confidential information. If you don’t collect it, you don’t have to protect it.
Restrict access to sensitive information. All-access passes backstage when your favorite band comes to town may sound like a blast, but when it comes to managing your company’s data, it’s a terrible idea. Restrict access to employees and contractors whose data is an important part of their jobs. But when the project is completed or their responsibilities change, immediately cut off their access.
Respond immediately and clearly to data incidents. Hard Chegg Follow the rationale outlined in Start with safety Or taking guidance from the FTC’s many data security actions, the company may be able to save some of those 40 million consumers from data breaches. But experiencing one data security incident – and certainly four data security incidents – should trigger a comprehensive review of Chegg’s procedures.
Conduct regular internal security training. Educate new employees and contractors on safety standards as part of the onboarding process. Review regularly and follow up again as threats and risks change. We know that in-house training sometimes elicits eye rolls—we blame those bad movie clips in high school health class—but there’s no legal requirement that data security training be boring. Yes, you should involve your IT staff, but you should also consult with your company’s creative staff. Colors, videos, quizzes, real-life stories, and more can help engage your audience. You don’t have to start from scratch.Federal Trade Commission Cybersecurity for Small Business Resources Might provide some inspiration.