Chegg sued by FTC after suffering four data breaches within 3 years

Gandalf_The_Grey

Gandalf_The_Grey

Level 74
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,339
Content source
https://www.bleepingcomputer.com/news/security/chegg-sued-by-ftc-after-suffering-four-data-breaches-within-3-years/
The U.S. Federal Trade Commission (FTC) has sued education technology company Chegg after exposing the sensitive information of tens of millions of customers and employees in four data breaches suffered since 2017.

The agency's proposed order would require Chegg to shore up data security, implement multifactor authentication (MFA) to help users secure their accounts, limit collected and stored customer data, and allow customers to access and delete their data.

"Chegg took shortcuts with millions of students' sensitive information," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection, on Monday.

"Today's order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data."
Click to expand...
www.bleepingcomputer.com

Chegg sued by FTC after suffering four data breaches within 3 years

The U.S. Federal Trade Commission (FTC) has sued education technology company Chegg after it exposed the sensitive information of tens of millions of customers and employees in four data breaches suffered since 2017.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Wow
  • Applause
Reactions: Nevi, upnorth, silversurfer and 1 other person
F

ForgottenSeer 95367

Unless the FTC has overwhelming evidence showing Chegg was willfully or criminally negligent, Chegg can take the FTC to court and get out of it. In the USA there is no federal regulation nor mandate that says anybody is required to guarantee data protection. Cybersecurity need only meet the "best effort" standard in the US. The "best effort" standard is a loose standard.
 
  • Like
Reactions: Virtuoso and Nevi
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,435
Sloppy data security at education tech giant Chegg exposed students and workers' personal information not once but four times in various ways over four years, according to the FTC.

In response, the American consumer watchdog today ordered the company to better protect data, including encrypting sensitive information, providing multi-factor authentication to users and employees, limiting the amount of personal information it collects and retains, and training staff on security practices. Stuff that should have been done a long time ago. Additionally, the FTC noted Chegg didn't necessarily notify all of the 40 million users and employees whose private info was exposed during the four breaches.

So, per an FTC order [PDF], the tech firm also has to notify "each individual whose unencrypted Social Security number, financial account information, date of birth, user account credentials, or medical information was exposed" within the next 60 days.
Click to expand...
First, in 2017, Chegg employees fell for a phishing attack, which gave criminals access to employees' direct deposit information.

A year later, a former contractor accessed one of Chegg's S3 databases using an AWS Root Credential, and stole a database containing about 40 million users' data. This included email addresses, first and last names, passwords, and, for some users, their religious denomination, heritage, date of birth, parents' income range, sexual orientation, and disabilities.

Later in 2018, a threat-intel firm notified Chegg that a file containing some of the stolen information was up for sale in an online forum. "Chegg reviewed the file as part of its own investigation, finding it held, among other things, approximately 25 million of the exfiltrated passwords in plain text, meaning the threat actors had cracked the hash for those passwords," according to the complaint. In response, Chegg required about 40 million users to reset their passwords. But it continued to store students' personal information in plain text, we're told.

In 2019, following another successful phishing attack, miscreants stole a senior executive's credentials and used those to access the exec's email inbox, which contained users' and employees' financial and medical information. The email system remained in its default configuration, which meant it didn't require MFA to access inboxes, the complaint said.
Click to expand...
www.theregister.com

FTC gives educational tech firm an F for data security

Chegg it out: Four blunders in four years
www.theregister.com www.theregister.com
 
  • Like
Reactions: Gandalf_The_Grey, Nevi and harlan4096
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Applause
    • +Reputation
Strike three: FTC says Meta still failing to protect user privacy
Replies
0
Views
341
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • Applause
FTC to ban BetterHelp from sharing mental health data with advertisers
Replies
2
Views
602
News Archive
BryanB
BryanB
BryanB
    • Like
    • Wow
FTC: $1.3 billion lost by 70,000 Americans to romance scams last year
Replies
2
Views
320
News Archive
Zero Knowledge
Z

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top