You can trust Chegg with your tutorials or tutoring, but regulators aren't sure. The Federal Trade Commission has filed a lawsuit accusing education technology provider Chegg of "negligent" security practices that compromised personal data since 2017. Among the breaches, the company allegedly provided sensitive information to about 40 million customers in 2018 after a former contractor used your login . to access a third-party database. The content included names, email addresses, passwords and even content such as religion, sexual orientation and parents' income. The information was eventually sold on the black market on the Internet.
Some of the stolen information belonged to employees. Chegg disclosed Social Security numbers, medical records and other information about the worker.
The FTC also alleges that Chegg did not use "commercially reasonable" security measures. It reportedly allowed employees and contractors to use a single sign-on, didn't require multi-factor authentication, and didn't check for threats. The commission added that the company kept personal data in public and relied on "outdated and weak" password encryption. Officials also say Chegg didn't even have a written security policy until January 2021 and didn't provide enough security training despite three phishing scams.
Chegg agreed to comply with the proposed restitution order, according to the FTC. A company must define the information it collects and limit the scope of such collection. You will establish multi-factor authentication and a "comprehensive" security program that includes encryption and security training. Customers will have access to their data and will be able to ask Chegg to delete that data.
We asked Chegg for comment. However, she was not the only one to face government repression for security reasons. In July, Uber struck a deal with the Justice Department for failing to tell customers about a major data breach in 2016, and the Federal Trade Commission recently fined Drizly and its CEO for alleged oversights that led to the 2020 incident. companies with poor security measures.