- I use this cheap Android tablet more than my iPad Pro - and don't regret it
- Change these 10 iOS settings right now to instantly get better iPhone battery life
- How to clear the cache on your Windows 11 PC (and why you shouldn't wait to do it)
- These Sony headphones deliver premium sound and comfort - without the premium price
- The LG soundbar I prefer for my home theater slaps with immersive audio - and it's not the newest model
FTC Takes Enforcement Action Against EdTech Giant Chegg
The Federal Trade Commission (FTC) has taken legal action against EdTech player Chegg, alleging the firm has failed to protect its customers after suffering four data breaches since 2017.
The FTC’s proposed order alleged Chegg took “shortcuts” with the personal data of millions of its students and will mandate enhanced data security, limits to data collection, improved access controls and more autonomy for students to delete their own data.
The California-based company – which sells online tutoring and online scholarship search services, among other things – collects a large amount of personal and financial information on its customers. This includes their religious affiliation, date of birth, sexual orientation, disabilities, Social Security numbers and medical data, the FTC said.
The regulator alleged in its complaint that Chegg had failed to adequately protect this information, leading to three successful phishing attacks in the past five years.
However, perhaps the most damaging breach was when a former contractor used login information the company shared with employees and outside contractors to access a cloud database holding info on 40 million customers, the FTC said. Some of this information was subsequently sold online.
Specifically in the complaint, the FTC alleged that Chegg:
- Failed to use “commercially reasonable security measures” to protect the data, including failing to offer multi-factor authentication (MFA) to users, failing to monitor networks for suspicious activity, and allowing employees and contractors to use a single login to access sensitive information
- Stored sensitive information insecurely in the cloud in plain text and, until at least 2018, used “outdated and weak encryption” to protect user passwords
- Failed to provide adequate security training to employees and contractors or implement a written security policy until January 2021
According to the proposed order, Chegg will be required to offer MFA to customers and employees, justify and limit its data collection, and implement a comprehensive information security program including data encryption.
Chegg will also be required to provide customers with access to data collected about them and allow them to request that the company delete specific data.
“Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
“The commission will continue to act aggressively to protect personal data.”
