FTC Finalizes Order with Ed Tech Provider Chegg for Lax Security that Exposed Student Data

The Federal Trade Commission has finalized its order with education technology provider Chegg Inc. for its careless data security practices that exposed sensitive information about millions of Chegg’s customers and employees, including Social Security numbers, email addresses, and passwords.

In a complaint first announced in October 2022, the FTC said that Chegg failed to protect the personal information it collected from users and employees. For example, the company stored users’ personal data on its cloud storage databases in plain text and, until at least 2018, employed outdated and weak encryption to protect user passwords. As a result of its poor data security, Chegg experienced four data breaches that exposed the personal information of about 40 million users and employees, including users’ email addresses and sensitive scholarship data such as their dates of birth, sexual orientation and disabilities, as well as financial and medical information about Chegg employees.

The FTC’s order requires Chegg to implement a comprehensive information security program, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to request access to and deletion of their data.

After receiving only one substantive comment, the Commission voted 4-0 to finalize the order with Chegg and send a letter to the commenter.

error: Content unreachable !!