FTC sues Chegg for disclosing sensitive student data

In a 2018 incident, a former Chegg contractor gained access to one of its third-party cloud databases, revealing personal information such as names, email addresses and passwords, in addition to parents’ religion, sexual orientation, disabilities and income. Some of the stolen data was later found for sale online. Officials also said: Chegg didn’t have a written security policy until January 2021 and has failed to provide adequate safety training to its employees.

Now, the FTC says Chegg’s inadequate cybersecurity practices in all breaches have resulted in the disclosure of data for about 40 million users. Chegg has agreed to honor a proposed order from the FTC to improve data security, whereby the company will implement multi-factor authentication, provide security training to employees, encrypt user data, and allow customers to access and delete their data from the platform.

In a statement provided to The New York TimesChegg said data privacy was a top priority for the company and only a small percentage of users had provided data about their religion and sexual orientation as part of a scholarship discovery feature. “Chegg is fully committed to protecting users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts,” the statement said.

“Chegg took shortcuts with the sensitive information of millions of students,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security safeguards, provide consumers with an easy way to delete their data, and limit information-gathering up front. The Commission will continue to act aggressively to protect personal data.”