Chegg, Inc., sells educational products and services directly to high school and college students. That includes renting textbooks, guiding customers in their search for scholarships, and offering online tutoring. But according to the FTC, the ed tech company’s lax security practices resulted in four separate data breaches in a span of just a few years, leading to the misappropriation of personal information about approximately 40 million consumers. The FTC complaint and some notable provisions in the proposed settlement suggest that it’s time for a data security refresher course at Chegg. Are there lessons your company can learn from where the FTC says Chegg failed to make the grade?
In the course of its business, California-based Chegg collected a treasure trove of personal information about many of its customers, including their religious affiliation, heritage, date of birth, sexual orientation, disabilities, and parents’ income. Even the Chegg employee in charge of cybersecurity described the data gathered as part of its scholarship search service as “very sensitive.â€
A key component of Chegg’s information technology infrastructure was Simple Storage Service (S3), a cloud storage service offered by Amazon Web Services (AWS) that Chegg used to store a substantial amount of customer and employee data. You’ll want to read the complaint for the details, but the FTC cites a number of examples of what Chegg did – and didn’t do – that were indicative of the company’s lax security practices. For example, the FTC alleges that:
- Chegg allowed employees and third-party contractors to access the S3 databases with a single access key that provided full administrative privileges over all information.
- Chegg didn’t require multi-factor authentication for account access to the S3 databases.
- Rather than encrypting the data, Chegg stored users’ and employees’ personal information in plain text.
- Until at least April 2018, Chegg “protected†passwords with outdated cryptographic hash functions.
- Until at least April 2020, Chegg failed to provide adequate data security training for employees and contractors.
- Chegg didn’t have processes in place for inventorying and deleting customers’ and employees’ personal information once there was no longer a business need to maintain it.
- Chegg failed to monitor its networks adequately for unauthorized attempts to sneak in and illegally transfer sensitive data out of its system.
Should it come as a surprise that the complaint also recounts four separate episodes that led to the illegal exposure of personal information? Incident #1 stemmed from Chegg employees falling for a phishing attack that allowed a data thief access to the employees’ direct deposit payroll information. Incident #2 involved a former contractor who used Chegg’s AWS credential to grab sensitive material from one of the company’s S3 databases – information that ultimately found its way onto a public website.
Then came Incident #3: a phishing attack that took in a senior Chegg executive and allowed the intruder to bypass the company’s multifactor email authentication system. Once in the executive’s email box, the intruder had access to personal information about consumers, including financial and medical information. In Incident #4, a senior employee responsible for payroll fell for another phishing attack, thereby giving the intruder access to the company’s payroll system. The intruder left with the W-2 information of approximately 700 current and former employees, including their birthdates and Social Security numbers.
In each of the four incidents cited in the complaint, the FTC alleges that Chegg had failed to take simple precautionary steps that would have likely helped prevent or detect the threat to consumer and employee data – for example, requiring employees to take data security training on the telltale signs of a phishing attempt.
To settle the case, Chegg has agreed to a comprehensive restructuring of its data protection practices. As part of the proposed order, Chegg must follow a schedule that sets out the personal information it collects, why it collects the information, and when it will delete the data. In addition, Chegg must give customers access to the information collected about them and honor requests to delete that data. Chegg also must provide customers and employees with two-factor authentication or another authentication method to help protect their accounts. Once the proposed order appears in the Â鶹´«Ã½ Register, the FTC will accept public comments for 30 days.
What can other companies learn from the lessons of Chegg?
Exercise special care when storing sensitive information. Once your company has sensitive information in its possession, you’ve upped the ante on your obligation to keep it secure. And once the legitimate business need to maintain that data has passed, security-savvy companies safely dispose of it. But perhaps the preliminary question is whether you really need that kind of confidential data in the first place. If you don’t collect it, you don’t have to protect it.
Limit access to sensitive information. An all-access backstage pass sounds like a blast when your favorite band comes to town, but it’s a terrible idea for managing data at your company. Limit access to employees and contractors for whom that data is an essential component of their job. But when the project is finished or their duties change, cut off their access immediately.
Respond to data incidents immediately and definitively. Had Chegg followed the fundamentals outlined in Start with Security or the takeaway guidance from any number of the FTC’s data security actions, the company might have spared some of those 40 million consumers the headache of having their data exposed in the first place. But experiencing a data security incident – and certainly four data security incidents – should have triggered a comprehensive review of Chegg’s procedures.
Conduct regular in-house security training. As part of your on-boarding process, educate new employees and contractors about your security standards. Follow up periodically with refreshers and again when threats and risks have changed. We know in-house training can sometimes induce eye rolls – we blame those awful high school health class film strips – but there’s no law requiring data security training to be boring. Yes, you should involve your IT staff, but also consult with creative people at your company. Color, video, quizzes, IRL stories, etc., can help engage your audience. You don’t have to start from scratch. The FTC’s Cybersecurity for Small Business resources may offer some inspiration.