Homework help site Chegg has leaked sensitive consumer data on more than one occasion in previous years due to its below-average security, according to an official report.
A message (opens in a new tab) from the US Federal Trade Commission (FTC) claims that Chegg leaked identity data (opens in a new tab) of more than 40 million consumers, yielding serious doubts about their cybersecurity practices.
The FTC claimed that Chegg could have avoided most of these problems if he had simply followed the basics of protecting sensitive data. In addition, the company also failed to adequately monitor its networks for unauthorized access attempts and data theft.
four major incidents
The FTC's list of charges includes claims that Chegg did not require multi-factor authentication (MFA) to access its AWS S3 cloud databases account, user and employee personal information stored in plain text, passwords protected with outdated cryptographic hash functions, failed to provide adequate training to its employees and contractors, and failed to implement processes to inventory and delete customer and employee data that was no longer needed.
Overall, the FTC listed four separate incidents: two involving the exposure of payroll information to fraudsters, one involving the leak of sensitive material online, and one in which an executive's email account was compromised.
This included one where an employee fell for a phishing attack and gave someone access to the employee's direct deposit payroll information, one where a former contractor used the employee's direct deposit payroll information AWS ID from Chegg to take sensitive material from one of their S3 databases and ultimately leaked online, one in which a phishing attack resulted in the compromise of an executive's email inbox, and another in which a senior payroll executive gave an attacker access to the company's payroll system.
As a result, the attacker stole W-2 information on some 700 current and former employees, including dates of birth and Social Security numbers.
Chegg settled its case with the FTC by agreeing to a major review of its data protection practices. Among other things, the company will now follow a timeline of what personal data it collects, why it collects it, and when it will finally delete it.