Homework help site Chegg has leaked sensitive consumer data on more than one occasion in previous years due to its below-par security, an official report has declared.
A post (opens in new tab) from the US Federal Trade Commission (FTC) claims Chegg leaked identity data (opens in new tab) on more than 40 million consumers, casting serious doubts over its cybersecurity practices.
The FTC claimed that Chegg could have avoided most of these problems had it simply followed the basics of securing sensitive data. What’s more, the company also did not properly monitor its networks for attempts at unauthorized access and data theft.
Four major incidents
The FTC list of accusations includes the claims that Chegg didn’t require multi-factor authentication (MFA) for account access to its AWS S3 cloud databases, stored user and employee personal information in plain text, protected passwords with outdated cryptographic hash functions, did not provide adequate training for its employees and contractors, and did not set up processes for inventorying and deleting customer and employee data that was no longer needed.
All in all, the FTC listed four separate incidents: two involving the exposure of payroll information to scammers, one the leaking of sensitive material online and another where an executive’s email account was compromised.
This included one where an employee fell for a phishing attack and gave someone access to the employees’ direct deposit payroll information, one where a former contractor who used Chegg’s AWS credentials to take sensitive material from one of its S3 databases and ultimately leak it online, one in which a phishing attack resulted in the compromise of an executive’s email inbox, and one in which a senior employee responsible for payroll gave an intruder access to the company’s payroll system.
As a result, the attacker stole W-2 information on some 700 current and former employees, including birthdates and Social Security numbers.
Chegg settled its case with the FTC by agreeing to comprehensively restructure its data protection practices. Among other things, the company will now follow a schedule for the personal data it collects, why it collects it, and when it will ultimately delete it.